diff --git a/argo/appproject-clusterresourceblacklist/kyverno-test.yaml b/argo/appproject-clusterresourceblacklist/kyverno-test.yaml index 387eace1a..ae9c6d500 100644 --- a/argo/appproject-clusterresourceblacklist/kyverno-test.yaml +++ b/argo/appproject-clusterresourceblacklist/kyverno-test.yaml @@ -1,36 +1,42 @@ name: appproject-clusterresourceblacklist policies: - - appproject-clusterresourceblacklist.yaml +- appproject-clusterresourceblacklist.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: appproject-clusterresourceblacklist - rule: has-wildcard - resource: goodappproj01 - kind: AppProject - result: pass - - policy: appproject-clusterresourceblacklist - rule: validate-clusterresourceblacklist - resource: goodappproj02 - kind: AppProject - result: pass - - policy: appproject-clusterresourceblacklist - rule: has-wildcard - resource: badappproj01 - kind: AppProject - result: fail - - policy: appproject-clusterresourceblacklist - rule: has-wildcard - resource: badappproj02 - kind: AppProject - result: fail - - policy: appproject-clusterresourceblacklist - rule: has-wildcard - resource: badappproj03 - kind: AppProject - result: fail - - policy: appproject-clusterresourceblacklist - rule: validate-clusterresourceblacklist - resource: badappproj04 - kind: AppProject - result: fail +- kind: AppProject + policy: appproject-clusterresourceblacklist + resources: + - goodappproj01 + result: pass + rule: has-wildcard +- kind: AppProject + policy: appproject-clusterresourceblacklist + resources: + - goodappproj02 + result: pass + rule: validate-clusterresourceblacklist +- kind: AppProject + policy: appproject-clusterresourceblacklist + resources: + - badappproj01 + result: fail + rule: has-wildcard +- kind: AppProject + policy: appproject-clusterresourceblacklist + resources: + - badappproj02 + result: fail + rule: has-wildcard +- kind: AppProject + policy: appproject-clusterresourceblacklist + resources: + - badappproj03 + result: fail + rule: has-wildcard +- kind: AppProject + policy: appproject-clusterresourceblacklist + resources: + - badappproj04 + result: fail + rule: validate-clusterresourceblacklist diff --git a/best-practices/add-network-policy/kyverno-test.yaml b/best-practices/add-network-policy/kyverno-test.yaml index 48b76f924..916e05a6d 100644 --- a/best-practices/add-network-policy/kyverno-test.yaml +++ b/best-practices/add-network-policy/kyverno-test.yaml @@ -1,12 +1,13 @@ name: deny-all-traffic policies: - - add-network-policy.yaml +- add-network-policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-networkpolicy - rule: default-deny - resource: hello-world-namespace - generatedResource: generatedResource.yaml - kind: Namespace - result: pass \ No newline at end of file +- generatedResource: generatedResource.yaml + kind: Namespace + policy: add-networkpolicy + resources: + - hello-world-namespace + result: pass + rule: default-deny diff --git a/best-practices/add-ns-quota/kyverno-test.yaml b/best-practices/add-ns-quota/kyverno-test.yaml index f14004f4b..587c4c0dd 100644 --- a/best-practices/add-ns-quota/kyverno-test.yaml +++ b/best-practices/add-ns-quota/kyverno-test.yaml @@ -1,18 +1,20 @@ name: add-quota policies: - - add-ns-quota.yaml +- add-ns-quota.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-ns-quota - rule: generate-resourcequota - resource: hello-world-namespace - generatedResource: generatedResourceQuota.yaml - kind: Namespace - result: pass - - policy: add-ns-quota - rule: generate-limitrange - resource: hello-world-namespace - generatedResource: generatedLimitRange.yaml - kind: Namespace - result: pass +- generatedResource: generatedResourceQuota.yaml + kind: Namespace + policy: add-ns-quota + resources: + - hello-world-namespace + result: pass + rule: generate-resourcequota +- generatedResource: generatedLimitRange.yaml + kind: Namespace + policy: add-ns-quota + resources: + - hello-world-namespace + result: pass + rule: generate-limitrange diff --git a/best-practices/add-safe-to-evict/kyverno-test.yaml b/best-practices/add-safe-to-evict/kyverno-test.yaml index 7e1056a4a..542bfd8ba 100644 --- a/best-practices/add-safe-to-evict/kyverno-test.yaml +++ b/best-practices/add-safe-to-evict/kyverno-test.yaml @@ -1,28 +1,32 @@ name: add-safe-to-evict policies: - - add-safe-to-evict.yaml +- add-safe-to-evict.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-safe-to-evict - rule: annotate-empty-dir - resource: myapp-pod01 - kind: Pod - result: skip - - policy: add-safe-to-evict - rule: annotate-host-path - resource: myapp-pod02 - kind: Pod - result: skip - - policy: add-safe-to-evict - rule: annotate-empty-dir - resource: myapp-pod03 - kind: Pod - result: pass - patchedResource: myapp-pod03-patched.yaml - - policy: add-safe-to-evict - rule: annotate-host-path - resource: myapp-pod04 - kind: Pod - result: pass - patchedResource: myapp-pod04-patched.yaml +- kind: Pod + policy: add-safe-to-evict + resources: + - myapp-pod01 + result: skip + rule: annotate-empty-dir +- kind: Pod + policy: add-safe-to-evict + resources: + - myapp-pod02 + result: skip + rule: annotate-host-path +- kind: Pod + patchedResource: myapp-pod03-patched.yaml + policy: add-safe-to-evict + resources: + - myapp-pod03 + result: pass + rule: annotate-empty-dir +- kind: Pod + patchedResource: myapp-pod04-patched.yaml + policy: add-safe-to-evict + resources: + - myapp-pod04 + result: pass + rule: annotate-host-path diff --git a/best-practices/check-deprecated-apis/kyverno-test.yaml b/best-practices/check-deprecated-apis/kyverno-test.yaml index 5f9e0ab71..d9a8ccd1a 100644 --- a/best-practices/check-deprecated-apis/kyverno-test.yaml +++ b/best-practices/check-deprecated-apis/kyverno-test.yaml @@ -1,21 +1,24 @@ name: check-deprecated-apis policies: - - check-deprecated-apis.yaml +- check-deprecated-apis.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: check-deprecated-apis - rule: validate-v1-25-removals - resource: bad-cronjob - kind: CronJob - result: fail - - policy: check-deprecated-apis - rule: validate-v1-25-removals - resource: good-cronjob - kind: CronJob - result: skip - - policy: check-deprecated-apis - rule: validate-v1-29-removals - resource: bad-flowschema - kind: FlowSchema - result: fail \ No newline at end of file +- kind: CronJob + policy: check-deprecated-apis + resources: + - bad-cronjob + result: fail + rule: validate-v1-25-removals +- kind: CronJob + policy: check-deprecated-apis + resources: + - good-cronjob + result: skip + rule: validate-v1-25-removals +- kind: FlowSchema + policy: check-deprecated-apis + resources: + - bad-flowschema + result: fail + rule: validate-v1-29-removals diff --git a/best-practices/disallow-cri-sock-mount/kyverno-test.yaml b/best-practices/disallow-cri-sock-mount/kyverno-test.yaml index f14aaabc7..2c2c09107 100644 --- a/best-practices/disallow-cri-sock-mount/kyverno-test.yaml +++ b/best-practices/disallow-cri-sock-mount/kyverno-test.yaml @@ -1,36 +1,42 @@ name: disallow-cri-sock-mount policies: - - disallow-cri-sock-mount.yaml +- disallow-cri-sock-mount.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: disallow-container-sock-mounts - rule: validate-docker-sock-mount - resource: pod-with-docker-sock-mount - kind: Pod - result: fail - - policy: disallow-container-sock-mounts - rule: validate-containerd-sock-mount - resource: pod-with-docker-sock-mount - kind: Pod - result: pass - - policy: disallow-container-sock-mounts - rule: validate-crio-sock-mount - resource: pod-with-docker-sock-mount - kind: Pod - result: pass - - policy: disallow-container-sock-mounts - rule: validate-docker-sock-mount - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-container-sock-mounts - rule: validate-containerd-sock-mount - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-container-sock-mounts - rule: validate-crio-sock-mount - resource: goodpod01 - kind: Pod - result: pass +- kind: Pod + policy: disallow-container-sock-mounts + resources: + - pod-with-docker-sock-mount + result: fail + rule: validate-docker-sock-mount +- kind: Pod + policy: disallow-container-sock-mounts + resources: + - pod-with-docker-sock-mount + result: pass + rule: validate-containerd-sock-mount +- kind: Pod + policy: disallow-container-sock-mounts + resources: + - pod-with-docker-sock-mount + result: pass + rule: validate-crio-sock-mount +- kind: Pod + policy: disallow-container-sock-mounts + resources: + - goodpod01 + result: pass + rule: validate-docker-sock-mount +- kind: Pod + policy: disallow-container-sock-mounts + resources: + - goodpod01 + result: pass + rule: validate-containerd-sock-mount +- kind: Pod + policy: disallow-container-sock-mounts + resources: + - goodpod01 + result: pass + rule: validate-crio-sock-mount diff --git a/best-practices/disallow-default-namespace/kyverno-test.yaml b/best-practices/disallow-default-namespace/kyverno-test.yaml index ca318b9bc..53e3b33f3 100644 --- a/best-practices/disallow-default-namespace/kyverno-test.yaml +++ b/best-practices/disallow-default-namespace/kyverno-test.yaml @@ -1,28 +1,30 @@ name: disallow-default-namespace policies: - - disallow-default-namespace.yaml +- disallow-default-namespace.yaml resources: - - resource.yaml +- resource.yaml results: - # validate-namespace - - policy: disallow-default-namespace - rule: validate-namespace - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-default-namespace - rule: validate-namespace - resource: goodpod01 - kind: Pod - result: pass - # validate-podcontroller-namespace - - policy: disallow-default-namespace - rule: validate-podcontroller-namespace - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-default-namespace - rule: validate-podcontroller-namespace - resource: gooddeployment01 - kind: Deployment - result: pass +- kind: Pod + policy: disallow-default-namespace + resources: + - badpod01 + result: fail + rule: validate-namespace +- kind: Pod + policy: disallow-default-namespace + resources: + - goodpod01 + result: pass + rule: validate-namespace +- kind: Deployment + policy: disallow-default-namespace + resources: + - baddeployment01 + result: fail + rule: validate-podcontroller-namespace +- kind: Deployment + policy: disallow-default-namespace + resources: + - gooddeployment01 + result: pass + rule: validate-podcontroller-namespace diff --git a/best-practices/disallow-empty-ingress-host/kyverno-test.yaml b/best-practices/disallow-empty-ingress-host/kyverno-test.yaml index f814321ec..335f5721a 100644 --- a/best-practices/disallow-empty-ingress-host/kyverno-test.yaml +++ b/best-practices/disallow-empty-ingress-host/kyverno-test.yaml @@ -1,16 +1,18 @@ name: disallow-empty-ingress-host policies: - - disallow-empty-ingress-host.yaml +- disallow-empty-ingress-host.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: disallow-empty-ingress-host - rule: disallow-empty-ingress-host - resource: ingress-wildcard-host - result: pass - kind: Ingress - - policy: disallow-empty-ingress-host - rule: disallow-empty-ingress-host - resource: minimal-ingress - result: fail - kind: Ingress \ No newline at end of file +- kind: Ingress + policy: disallow-empty-ingress-host + resources: + - ingress-wildcard-host + result: pass + rule: disallow-empty-ingress-host +- kind: Ingress + policy: disallow-empty-ingress-host + resources: + - minimal-ingress + result: fail + rule: disallow-empty-ingress-host diff --git a/best-practices/disallow-helm-tiller/kyverno-test.yaml b/best-practices/disallow-helm-tiller/kyverno-test.yaml index 0216f2b70..7f81b797d 100644 --- a/best-practices/disallow-helm-tiller/kyverno-test.yaml +++ b/best-practices/disallow-helm-tiller/kyverno-test.yaml @@ -1,36 +1,42 @@ name: disallow-helm-tiller policies: - - disallow-helm-tiller.yaml +- disallow-helm-tiller.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: disallow-helm-tiller - rule: validate-helm-tiller - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-helm-tiller - rule: validate-helm-tiller - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-helm-tiller - rule: validate-helm-tiller - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-helm-tiller - rule: validate-helm-tiller - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-helm-tiller - rule: validate-helm-tiller - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-helm-tiller - rule: validate-helm-tiller - resource: baddeployment01 - kind: Deployment - result: fail +- kind: Pod + policy: disallow-helm-tiller + resources: + - badpod01 + result: fail + rule: validate-helm-tiller +- kind: Pod + policy: disallow-helm-tiller + resources: + - badpod02 + result: fail + rule: validate-helm-tiller +- kind: Pod + policy: disallow-helm-tiller + resources: + - goodpod01 + result: pass + rule: validate-helm-tiller +- kind: Pod + policy: disallow-helm-tiller + resources: + - goodpod02 + result: pass + rule: validate-helm-tiller +- kind: Deployment + policy: disallow-helm-tiller + resources: + - gooddeployment01 + result: pass + rule: validate-helm-tiller +- kind: Deployment + policy: disallow-helm-tiller + resources: + - baddeployment01 + result: fail + rule: validate-helm-tiller diff --git a/best-practices/disallow-latest-tag/kyverno-test.yaml b/best-practices/disallow-latest-tag/kyverno-test.yaml index 78f65a617..cd8b2d9b9 100644 --- a/best-practices/disallow-latest-tag/kyverno-test.yaml +++ b/best-practices/disallow-latest-tag/kyverno-test.yaml @@ -1,58 +1,66 @@ name: disallow-latest-tag policies: - - disallow-latest-tag.yaml +- disallow-latest-tag.yaml resources: - - resource.yaml +- resource.yaml results: - # require-image-tag - - policy: disallow-latest-tag - rule: require-image-tag - resource: myapp-pod - kind: Pod - result: pass - - policy: disallow-latest-tag - rule: require-image-tag - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-latest-tag - rule: require-image-tag - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-latest-tag - rule: require-image-tag - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-latest-tag - rule: require-image-tag - resource: baddeployment01 - kind: Deployment - result: fail - # validate-image-tag - - policy: disallow-latest-tag - rule: validate-image-tag - resource: myapp-pod - kind: Pod - result: pass - - policy: disallow-latest-tag - rule: validate-image-tag - resource: vit-badpod01 - kind: Pod - result: fail - - policy: disallow-latest-tag - rule: validate-image-tag - resource: vit-badpod02 - kind: Pod - result: fail - - policy: disallow-latest-tag - rule: validate-image-tag - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-latest-tag - rule: validate-image-tag - resource: vit-baddeployment01 - kind: Deployment - result: fail +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod + result: pass + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - badpod01 + result: fail + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - badpod02 + result: fail + rule: require-image-tag +- kind: Deployment + policy: disallow-latest-tag + resources: + - gooddeployment01 + result: pass + rule: require-image-tag +- kind: Deployment + policy: disallow-latest-tag + resources: + - baddeployment01 + result: fail + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod + result: pass + rule: validate-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - vit-badpod01 + result: fail + rule: validate-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - vit-badpod02 + result: fail + rule: validate-image-tag +- kind: Deployment + policy: disallow-latest-tag + resources: + - gooddeployment01 + result: pass + rule: validate-image-tag +- kind: Deployment + policy: disallow-latest-tag + resources: + - vit-baddeployment01 + result: fail + rule: validate-image-tag diff --git a/best-practices/require-drop-all/kyverno-test.yaml b/best-practices/require-drop-all/kyverno-test.yaml index e168005d3..3cf562306 100644 --- a/best-practices/require-drop-all/kyverno-test.yaml +++ b/best-practices/require-drop-all/kyverno-test.yaml @@ -1,18 +1,18 @@ -# Tests for this policy are covered in a more extensive fashion in the PSS restricted profile -# in disallow-capabilities-strict. name: require-drop-all policies: - - require-drop-all.yaml +- require-drop-all.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: drop-all-capabilities - rule: require-drop-all - resource: add-capabilities - kind: Pod - result: pass - - policy: drop-all-capabilities - rule: require-drop-all - resource: add-capabilities-bad - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + policy: drop-all-capabilities + resources: + - add-capabilities + result: pass + rule: require-drop-all +- kind: Pod + policy: drop-all-capabilities + resources: + - add-capabilities-bad + result: fail + rule: require-drop-all diff --git a/best-practices/require-drop-cap-net-raw/kyverno-test.yaml b/best-practices/require-drop-cap-net-raw/kyverno-test.yaml index f3247de24..528513da1 100644 --- a/best-practices/require-drop-cap-net-raw/kyverno-test.yaml +++ b/best-practices/require-drop-cap-net-raw/kyverno-test.yaml @@ -1,24 +1,24 @@ -# Tests for this policy are covered in a more extensive fashion in the PSS restricted profile -# in disallow-capabilities-strict. Since the only difference is the value being dropped, -# those tests are sufficient to test for this policy. name: require-drop-cap-net-raw policies: - - require-drop-cap-net-raw.yaml +- require-drop-cap-net-raw.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: drop-cap-net-raw - rule: require-drop-cap-net-raw - resource: drop-good - kind: Pod - result: pass - - policy: drop-cap-net-raw - rule: require-drop-cap-net-raw - resource: badpod01 - kind: Pod - result: fail - - policy: drop-cap-net-raw - rule: require-drop-cap-net-raw - resource: badpod02 - kind: Pod - result: fail +- kind: Pod + policy: drop-cap-net-raw + resources: + - drop-good + result: pass + rule: require-drop-cap-net-raw +- kind: Pod + policy: drop-cap-net-raw + resources: + - badpod01 + result: fail + rule: require-drop-cap-net-raw +- kind: Pod + policy: drop-cap-net-raw + resources: + - badpod02 + result: fail + rule: require-drop-cap-net-raw diff --git a/best-practices/require-labels/kyverno-test.yaml b/best-practices/require-labels/kyverno-test.yaml index e87961d3e..fdbf1b860 100644 --- a/best-practices/require-labels/kyverno-test.yaml +++ b/best-practices/require-labels/kyverno-test.yaml @@ -1,26 +1,30 @@ name: require-labels policies: - - require-labels.yaml +- require-labels.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-labels - rule: check-for-labels - resource: badpod01 - kind: Pod - result: fail - - policy: require-labels - rule: check-for-labels - resource: badpod02 - kind: Pod - result: fail - - policy: require-labels - rule: check-for-labels - resource: goodpod01 - kind: Pod - result: pass - - policy: require-labels - rule: check-for-labels - resource: goodpod02 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: require-labels + resources: + - badpod01 + result: fail + rule: check-for-labels +- kind: Pod + policy: require-labels + resources: + - badpod02 + result: fail + rule: check-for-labels +- kind: Pod + policy: require-labels + resources: + - goodpod01 + result: pass + rule: check-for-labels +- kind: Pod + policy: require-labels + resources: + - goodpod02 + result: pass + rule: check-for-labels diff --git a/best-practices/require-pod-requests-limits/kyverno-test.yaml b/best-practices/require-pod-requests-limits/kyverno-test.yaml index ff1863c2a..818cab65b 100644 --- a/best-practices/require-pod-requests-limits/kyverno-test.yaml +++ b/best-practices/require-pod-requests-limits/kyverno-test.yaml @@ -1,31 +1,36 @@ name: require-requests-limits policies: - - require-pod-requests-limits.yaml +- require-pod-requests-limits.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-requests-limits - rule: validate-resources - resource: goodpod01 - kind: Pod - result: pass - - policy: require-requests-limits - rule: validate-resources - resource: goodpod02 - kind: Pod - result: pass - - policy: require-requests-limits - rule: validate-resources - resource: badpod01 - kind: Pod - result: fail - - policy: require-requests-limits - rule: validate-resources - resource: badpod02 - kind: Pod - result: fail - - policy: require-requests-limits - rule: validate-resources - resource: badpod03 - kind: Pod - result: fail +- kind: Pod + policy: require-requests-limits + resources: + - goodpod01 + result: pass + rule: validate-resources +- kind: Pod + policy: require-requests-limits + resources: + - goodpod02 + result: pass + rule: validate-resources +- kind: Pod + policy: require-requests-limits + resources: + - badpod01 + result: fail + rule: validate-resources +- kind: Pod + policy: require-requests-limits + resources: + - badpod02 + result: fail + rule: validate-resources +- kind: Pod + policy: require-requests-limits + resources: + - badpod03 + result: fail + rule: validate-resources diff --git a/best-practices/require-ro-rootfs/kyverno-test.yaml b/best-practices/require-ro-rootfs/kyverno-test.yaml index 146c89a47..dc0b30bfb 100644 --- a/best-practices/require-ro-rootfs/kyverno-test.yaml +++ b/best-practices/require-ro-rootfs/kyverno-test.yaml @@ -1,31 +1,36 @@ name: require-ro-rootfs policies: - - require-ro-rootfs.yaml +- require-ro-rootfs.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-ro-rootfs - rule: validate-readOnlyRootFilesystem - resource: badpod01 - kind: Pod - result: fail - - policy: require-ro-rootfs - rule: validate-readOnlyRootFilesystem - resource: badpod02 - kind: Pod - result: fail - - policy: require-ro-rootfs - rule: validate-readOnlyRootFilesystem - resource: badpod03 - kind: Pod - result: fail - - policy: require-ro-rootfs - rule: validate-readOnlyRootFilesystem - resource: goodpod01 - kind: Pod - result: pass - - policy: require-ro-rootfs - rule: validate-readOnlyRootFilesystem - resource: goodpod02 - kind: Pod - result: pass +- kind: Pod + policy: require-ro-rootfs + resources: + - badpod01 + result: fail + rule: validate-readOnlyRootFilesystem +- kind: Pod + policy: require-ro-rootfs + resources: + - badpod02 + result: fail + rule: validate-readOnlyRootFilesystem +- kind: Pod + policy: require-ro-rootfs + resources: + - badpod03 + result: fail + rule: validate-readOnlyRootFilesystem +- kind: Pod + policy: require-ro-rootfs + resources: + - goodpod01 + result: pass + rule: validate-readOnlyRootFilesystem +- kind: Pod + policy: require-ro-rootfs + resources: + - goodpod02 + result: pass + rule: validate-readOnlyRootFilesystem diff --git a/best-practices/restrict-image-registries/kyverno-test.yaml b/best-practices/restrict-image-registries/kyverno-test.yaml index 2ef853253..96da63f07 100644 --- a/best-practices/restrict-image-registries/kyverno-test.yaml +++ b/best-practices/restrict-image-registries/kyverno-test.yaml @@ -1,41 +1,48 @@ name: restrict-image-registries policies: - - restrict-image-registries.yaml +- restrict-image-registries.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-image-registries - rule: validate-registries - resource: badpod01 - kind: Pod - result: fail - - policy: restrict-image-registries - rule: validate-registries - resource: badpod02 - kind: Pod - result: fail - - policy: restrict-image-registries - rule: validate-registries - resource: badpod03 - kind: Pod - result: fail - - policy: restrict-image-registries - rule: validate-registries - resource: badpod04 - kind: Pod - result: fail - - policy: restrict-image-registries - rule: validate-registries - resource: goodpod01 - kind: Pod - result: pass - - policy: restrict-image-registries - rule: validate-registries - resource: goodpod02 - kind: Pod - result: pass - - policy: restrict-image-registries - rule: validate-registries - resource: goodpod03 - kind: Pod - result: pass +- kind: Pod + policy: restrict-image-registries + resources: + - badpod01 + result: fail + rule: validate-registries +- kind: Pod + policy: restrict-image-registries + resources: + - badpod02 + result: fail + rule: validate-registries +- kind: Pod + policy: restrict-image-registries + resources: + - badpod03 + result: fail + rule: validate-registries +- kind: Pod + policy: restrict-image-registries + resources: + - badpod04 + result: fail + rule: validate-registries +- kind: Pod + policy: restrict-image-registries + resources: + - goodpod01 + result: pass + rule: validate-registries +- kind: Pod + policy: restrict-image-registries + resources: + - goodpod02 + result: pass + rule: validate-registries +- kind: Pod + policy: restrict-image-registries + resources: + - goodpod03 + result: pass + rule: validate-registries diff --git a/best-practices/restrict-node-port/kyverno-test.yaml b/best-practices/restrict-node-port/kyverno-test.yaml index eb7eee47b..08a30ebc2 100644 --- a/best-practices/restrict-node-port/kyverno-test.yaml +++ b/best-practices/restrict-node-port/kyverno-test.yaml @@ -1,21 +1,24 @@ name: restrict-node-port policies: - - restrict-node-port.yaml +- restrict-node-port.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-nodeport - rule: validate-nodeport - resource: badservice01 - kind: Service - result: fail - - policy: restrict-nodeport - rule: validate-nodeport - resource: goodservice01 - kind: Service - result: pass - - policy: restrict-nodeport - rule: validate-nodeport - resource: goodservice02 - kind: Service - result: pass +- kind: Service + policy: restrict-nodeport + resources: + - badservice01 + result: fail + rule: validate-nodeport +- kind: Service + policy: restrict-nodeport + resources: + - goodservice01 + result: pass + rule: validate-nodeport +- kind: Service + policy: restrict-nodeport + resources: + - goodservice02 + result: pass + rule: validate-nodeport diff --git a/best-practices/restrict-service-external-ips/kyverno-test.yaml b/best-practices/restrict-service-external-ips/kyverno-test.yaml index 784430acf..d4cfca0bf 100644 --- a/best-practices/restrict-service-external-ips/kyverno-test.yaml +++ b/best-practices/restrict-service-external-ips/kyverno-test.yaml @@ -1,21 +1,24 @@ name: restrict-external-ips policies: - - restrict-service-external-ips.yaml +- restrict-service-external-ips.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-external-ips - rule: check-ips - resource: goodservice01 - kind: Service - result: pass - - policy: restrict-external-ips - rule: check-ips - resource: badservice01 - kind: Service - result: fail - - policy: restrict-external-ips - rule: check-ips - resource: badservice02 - kind: Service - result: fail +- kind: Service + policy: restrict-external-ips + resources: + - goodservice01 + result: pass + rule: check-ips +- kind: Service + policy: restrict-external-ips + resources: + - badservice01 + result: fail + rule: check-ips +- kind: Service + policy: restrict-external-ips + resources: + - badservice02 + result: fail + rule: check-ips diff --git a/castai/add-castai-removal-disabled/kyverno-test.yaml b/castai/add-castai-removal-disabled/kyverno-test.yaml index 7ccafdce1..0f182e19e 100644 --- a/castai/add-castai-removal-disabled/kyverno-test.yaml +++ b/castai/add-castai-removal-disabled/kyverno-test.yaml @@ -4,15 +4,17 @@ policies: resources: - resources.yaml results: -- policy: add-castai-removal-disabled - rule: do-not-evict-jobs - resource: addjob01 - kind: Job +- kind: Job patchedResource: patched01.yaml + policy: add-castai-removal-disabled + resources: + - addjob01 result: pass -- policy: add-castai-removal-disabled - rule: do-not-evict-cronjobs - resource: addcronjob01 - kind: CronJob + rule: do-not-evict-jobs +- kind: CronJob patchedResource: patched02.yaml + policy: add-castai-removal-disabled + resources: + - addcronjob01 result: pass + rule: do-not-evict-cronjobs diff --git a/cert-manager/limit-dnsnames/kyverno-test.yaml b/cert-manager/limit-dnsnames/kyverno-test.yaml index c02923f09..6c661ec7d 100644 --- a/cert-manager/limit-dnsnames/kyverno-test.yaml +++ b/cert-manager/limit-dnsnames/kyverno-test.yaml @@ -1,16 +1,18 @@ name: limit_dnsnames policies: - - limit-dnsnames.yaml +- limit-dnsnames.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: cert-manager-limit-dnsnames - rule: limit-dnsnames - resource: letsencrypt-crt - kind: Certificate - result: fail - - policy: cert-manager-limit-dnsnames - rule: limit-dnsnames - resource: acme-crt - kind: Certificate - result: pass +- kind: Certificate + policy: cert-manager-limit-dnsnames + resources: + - letsencrypt-crt + result: fail + rule: limit-dnsnames +- kind: Certificate + policy: cert-manager-limit-dnsnames + resources: + - acme-crt + result: pass + rule: limit-dnsnames diff --git a/cert-manager/limit-duration/kyverno-test.yaml b/cert-manager/limit-duration/kyverno-test.yaml index aaf75dcd1..b997197ed 100644 --- a/cert-manager/limit-duration/kyverno-test.yaml +++ b/cert-manager/limit-duration/kyverno-test.yaml @@ -1,32 +1,24 @@ name: limit-duration policies: - - limit-duration.yaml +- limit-duration.yaml resources: - - resource.yaml +- resource.yaml results: - # - policy: cert-manager-limit-duration - # rule: certificate-duration-max-100days - # resource: letsencrypt-crt - # kind: Certificate - # result: error - # duration field absent in resource, therefore request.object.spec.duration = nil. - # policy throws an error, as nil value assigned to variable. - # status/result --> error - - - policy: cert-manager-limit-duration - rule: certificate-duration-max-100days - resource: acme-crt - kind: Certificate - result: skip - # Status/result = skip, because preconditions blocked doesn't match. - - - policy: cert-manager-limit-duration - rule: certificate-duration-max-100days - resource: acme-crt-short - kind: Certificate - result: pass - - policy: cert-manager-limit-duration - rule: certificate-duration-max-100days - resource: acme-crt-long - kind: Certificate - result: fail \ No newline at end of file +- kind: Certificate + policy: cert-manager-limit-duration + resources: + - acme-crt + result: skip + rule: certificate-duration-max-100days +- kind: Certificate + policy: cert-manager-limit-duration + resources: + - acme-crt-short + result: pass + rule: certificate-duration-max-100days +- kind: Certificate + policy: cert-manager-limit-duration + resources: + - acme-crt-long + result: fail + rule: certificate-duration-max-100days diff --git a/cert-manager/restrict-issuer/kyverno-test.yaml b/cert-manager/restrict-issuer/kyverno-test.yaml index 96bdf51bd..92ac1283f 100644 --- a/cert-manager/restrict-issuer/kyverno-test.yaml +++ b/cert-manager/restrict-issuer/kyverno-test.yaml @@ -1,16 +1,18 @@ name: restrict-issuer policies: - - restrict-issuer.yaml +- restrict-issuer.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: cert-manager-restrict-issuer - rule: restrict-corp-cert-issuer - resource: letsencrypt-crt - kind: Certificate - result: pass - - policy: cert-manager-restrict-issuer - rule: restrict-corp-cert-issuer - resource: acme-crt - kind: Certificate - result: fail +- kind: Certificate + policy: cert-manager-restrict-issuer + resources: + - letsencrypt-crt + result: pass + rule: restrict-corp-cert-issuer +- kind: Certificate + policy: cert-manager-restrict-issuer + resources: + - acme-crt + result: fail + rule: restrict-corp-cert-issuer diff --git a/consul/enforce-min-tls-version/kyverno-test.yaml b/consul/enforce-min-tls-version/kyverno-test.yaml index a11f133af..d83e21579 100644 --- a/consul/enforce-min-tls-version/kyverno-test.yaml +++ b/consul/enforce-min-tls-version/kyverno-test.yaml @@ -1,16 +1,18 @@ name: enforce-min-tls-version policies: - - enforce-min-tls-version.yaml +- enforce-min-tls-version.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: enforce-min-tls-version - rule: check-for-tls-version - resource: badmesh - kind: Mesh - result: fail - - policy: enforce-min-tls-version - rule: check-for-tls-version - resource: goodmesh - kind: Mesh - result: pass \ No newline at end of file +- kind: Mesh + policy: enforce-min-tls-version + resources: + - badmesh + result: fail + rule: check-for-tls-version +- kind: Mesh + policy: enforce-min-tls-version + resources: + - goodmesh + result: pass + rule: check-for-tls-version diff --git a/external-secret-operator/add-external-secret-prefix/kyverno-test.yaml b/external-secret-operator/add-external-secret-prefix/kyverno-test.yaml index e202a6d14..4edab2491 100644 --- a/external-secret-operator/add-external-secret-prefix/kyverno-test.yaml +++ b/external-secret-operator/add-external-secret-prefix/kyverno-test.yaml @@ -4,9 +4,10 @@ policies: resources: - resource.yaml results: -- policy: add-external-secret-prefix - rule: add-external-secret-prefix - resource: example - kind: ExternalSecret +- kind: ExternalSecret patchedResource: patched.yaml + policy: add-external-secret-prefix + resources: + - example result: pass + rule: add-external-secret-prefix diff --git a/istio/restrict-virtual-service-wildcard/kyverno-test.yaml b/istio/restrict-virtual-service-wildcard/kyverno-test.yaml index d748ed76c..93573cf66 100644 --- a/istio/restrict-virtual-service-wildcard/kyverno-test.yaml +++ b/istio/restrict-virtual-service-wildcard/kyverno-test.yaml @@ -1,16 +1,18 @@ name: restrict-virtual-service-wildcard policies: - - restrict-virtual-service-wildcard.yaml +- restrict-virtual-service-wildcard.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: restrict-virtual-service-wildcard - rule: block-virtual-service-wildcard - resource: badvs - kind: VirtualService - result: fail - - policy: restrict-virtual-service-wildcard - rule: block-virtual-service-wildcard - resource: goodvs - kind: VirtualService - result: pass \ No newline at end of file +- kind: VirtualService + policy: restrict-virtual-service-wildcard + resources: + - badvs + result: fail + rule: block-virtual-service-wildcard +- kind: VirtualService + policy: restrict-virtual-service-wildcard + resources: + - goodvs + result: pass + rule: block-virtual-service-wildcard diff --git a/karpenter/add-karpenter-daemonset-priority-class/kyverno-test.yaml b/karpenter/add-karpenter-daemonset-priority-class/kyverno-test.yaml index f2953ae60..cd97849e2 100644 --- a/karpenter/add-karpenter-daemonset-priority-class/kyverno-test.yaml +++ b/karpenter/add-karpenter-daemonset-priority-class/kyverno-test.yaml @@ -1,13 +1,14 @@ name: test-add-karpenter-daemonset-priority-class policies: - - add-karpenter-daemonset-priority-class.yaml +- add-karpenter-daemonset-priority-class.yaml resources: - - daemonset.yaml +- daemonset.yaml results: - - policy: add-karpenter-daemonset-priority-class - rule: add-karpenter-daemonset-priority-class - resource: test - namespace: test - kind: DaemonSet - patchedResource: daemonset-patched.yaml - result: pass +- kind: DaemonSet + namespace: test + patchedResource: daemonset-patched.yaml + policy: add-karpenter-daemonset-priority-class + resources: + - test + result: pass + rule: add-karpenter-daemonset-priority-class diff --git a/karpenter/add-karpenter-donot-evict/kyverno-test.yaml b/karpenter/add-karpenter-donot-evict/kyverno-test.yaml index 86b615969..d620e6744 100644 --- a/karpenter/add-karpenter-donot-evict/kyverno-test.yaml +++ b/karpenter/add-karpenter-donot-evict/kyverno-test.yaml @@ -4,15 +4,17 @@ policies: resources: - resource.yaml results: -- policy: add-karpenter-donot-evict - rule: do-not-evict-jobs - resource: addjob01 - kind: Job +- kind: Job patchedResource: patched01.yaml + policy: add-karpenter-donot-evict + resources: + - addjob01 result: pass -- policy: add-karpenter-donot-evict - rule: do-not-evict-cronjobs - resource: addcronjob01 - kind: CronJob + rule: do-not-evict-jobs +- kind: CronJob patchedResource: patched02.yaml + policy: add-karpenter-donot-evict + resources: + - addcronjob01 result: pass + rule: do-not-evict-cronjobs diff --git a/karpenter/set-karpenter-non-cpu-limits/kyverno-test.yaml b/karpenter/set-karpenter-non-cpu-limits/kyverno-test.yaml index 070342473..aa646d6e9 100644 --- a/karpenter/set-karpenter-non-cpu-limits/kyverno-test.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/kyverno-test.yaml @@ -1,62 +1,70 @@ name: set-karpenter-non-cpu-limits policies: - - set-karpenter-non-cpu-limits.yaml +- set-karpenter-non-cpu-limits.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: set-karpenter-non-cpu-limits - rule: set-ephemeral-storage - resource: test1 - namespace: test - kind: Pod - patchedResource: pod-ephemeral-storage-patched1.yaml - result: pass - - policy: set-karpenter-non-cpu-limits - rule: set-memory - resource: test1 - namespace: test - kind: Pod - patchedResource: pod-memory-patched1.yaml - result: pass - - policy: set-karpenter-non-cpu-limits - rule: set-ephemeral-storage - resource: test2 - namespace: test - kind: Pod - patchedResource: pod-ephemeral-storage-patched2.yaml - result: pass - - policy: set-karpenter-non-cpu-limits - rule: set-memory - resource: test2 - namespace: test - kind: Pod - patchedResource: pod-memory-patched2.yaml - result: pass - - policy: set-karpenter-non-cpu-limits - rule: set-ephemeral-storage - resource: test3 - namespace: test - kind: Pod - patchedResource: pod-ephemeral-storage-patched3.yaml - result: pass - - policy: set-karpenter-non-cpu-limits - rule: set-memory - resource: test3 - namespace: test - kind: Pod - patchedResource: pod-memory-patched3.yaml - result: pass - - policy: set-karpenter-non-cpu-limits - rule: set-ephemeral-storage - resource: test4 - namespace: test - kind: Pod - patchedResource: pod-ephemeral-storage-patched4.yaml - result: pass - - policy: set-karpenter-non-cpu-limits - rule: set-memory - resource: test4 - namespace: test - kind: Pod - patchedResource: pod-memory-patched4.yaml - result: skip +- kind: Pod + namespace: test + patchedResource: pod-ephemeral-storage-patched1.yaml + policy: set-karpenter-non-cpu-limits + resources: + - test1 + result: pass + rule: set-ephemeral-storage +- kind: Pod + namespace: test + patchedResource: pod-memory-patched1.yaml + policy: set-karpenter-non-cpu-limits + resources: + - test1 + result: pass + rule: set-memory +- kind: Pod + namespace: test + patchedResource: pod-ephemeral-storage-patched2.yaml + policy: set-karpenter-non-cpu-limits + resources: + - test2 + result: pass + rule: set-ephemeral-storage +- kind: Pod + namespace: test + patchedResource: pod-memory-patched2.yaml + policy: set-karpenter-non-cpu-limits + resources: + - test2 + result: pass + rule: set-memory +- kind: Pod + namespace: test + patchedResource: pod-ephemeral-storage-patched3.yaml + policy: set-karpenter-non-cpu-limits + resources: + - test3 + result: pass + rule: set-ephemeral-storage +- kind: Pod + namespace: test + patchedResource: pod-memory-patched3.yaml + policy: set-karpenter-non-cpu-limits + resources: + - test3 + result: pass + rule: set-memory +- kind: Pod + namespace: test + patchedResource: pod-ephemeral-storage-patched4.yaml + policy: set-karpenter-non-cpu-limits + resources: + - test4 + result: pass + rule: set-ephemeral-storage +- kind: Pod + namespace: test + patchedResource: pod-memory-patched4.yaml + policy: set-karpenter-non-cpu-limits + resources: + - test4 + result: skip + rule: set-memory diff --git a/kasten/k10-3-2-1-backup/kyverno-test.yaml b/kasten/k10-3-2-1-backup/kyverno-test.yaml index 61ad5c563..de2fac82a 100644 --- a/kasten/k10-3-2-1-backup/kyverno-test.yaml +++ b/kasten/k10-3-2-1-backup/kyverno-test.yaml @@ -1,16 +1,18 @@ name: kyverno_data_protection_tests policies: - - k10-3-2-1-backup.yaml +- k10-3-2-1-backup.yaml resources: - - k10-backup-policy.yaml +- k10-backup-policy.yaml results: -- policy: k10-3-2-1-backup-policy - rule: k10-3-2-1-backup-policy - resource: sample-custom-backup-policy - kind: Policy +- kind: Policy + policy: k10-3-2-1-backup-policy + resources: + - sample-custom-backup-policy result: pass -- policy: k10-3-2-1-backup-policy rule: k10-3-2-1-backup-policy - resource: sample-custom-backup-policy-invalid - kind: Policy - result: fail \ No newline at end of file +- kind: Policy + policy: k10-3-2-1-backup-policy + resources: + - sample-custom-backup-policy-invalid + result: fail + rule: k10-3-2-1-backup-policy diff --git a/kasten/k10-data-protection-by-label/kyverno-test.yaml b/kasten/k10-data-protection-by-label/kyverno-test.yaml index 8e13092cd..b17da245e 100644 --- a/kasten/k10-data-protection-by-label/kyverno-test.yaml +++ b/kasten/k10-data-protection-by-label/kyverno-test.yaml @@ -1,16 +1,18 @@ name: kyverno_data_protection_tests policies: - - k10-data-protection-by-label.yaml +- k10-data-protection-by-label.yaml resources: - - nginx-deployment.yaml +- nginx-deployment.yaml results: -- policy: k10-data-protection-by-label - rule: k10-data-protection-by-label - resource: nginx-deployment - kind: Deployment +- kind: Deployment + policy: k10-data-protection-by-label + resources: + - nginx-deployment result: pass -- policy: k10-data-protection-by-label rule: k10-data-protection-by-label - resource: nginx-deployment-invalid - kind: Deployment +- kind: Deployment + policy: k10-data-protection-by-label + resources: + - nginx-deployment-invalid result: fail + rule: k10-data-protection-by-label diff --git a/kasten/k10-generate-policy-by-preset-label/kyverno-test.yaml b/kasten/k10-generate-policy-by-preset-label/kyverno-test.yaml index d947d8bb2..f8e535290 100644 --- a/kasten/k10-generate-policy-by-preset-label/kyverno-test.yaml +++ b/kasten/k10-generate-policy-by-preset-label/kyverno-test.yaml @@ -1,13 +1,14 @@ name: k10-generate-policy-by-preset-label-test policies: - - k10-generate-policy-by-preset-label.yaml +- k10-generate-policy-by-preset-label.yaml resources: - - test-resource.yaml -variables: test-values.yaml +- test-resource.yaml results: - - policy: k10-generate-policy-by-preset-label - rule: k10-generate-policy-by-preset-label - resource: test-namespace - generatedResource: generatedResource.yaml - kind: Namespace - result: pass \ No newline at end of file +- generatedResource: generatedResource.yaml + kind: Namespace + policy: k10-generate-policy-by-preset-label + resources: + - test-namespace + result: pass + rule: k10-generate-policy-by-preset-label +variables: test-values.yaml diff --git a/kasten/k10-hourly-rpo/kyverno-test.yaml b/kasten/k10-hourly-rpo/kyverno-test.yaml index 392103f72..8d07970f2 100644 --- a/kasten/k10-hourly-rpo/kyverno-test.yaml +++ b/kasten/k10-hourly-rpo/kyverno-test.yaml @@ -1,16 +1,18 @@ name: kyverno_data_protection_tests policies: - - k10-hourly-rpo.yaml +- k10-hourly-rpo.yaml resources: - - backup-export-policy.yaml +- backup-export-policy.yaml results: -- policy: k10-policy-hourly-rpo - rule: k10-policy-hourly-rpo - resource: hourly-policy - kind: Policy +- kind: Policy + policy: k10-policy-hourly-rpo + resources: + - hourly-policy result: pass -- policy: k10-policy-hourly-rpo rule: k10-policy-hourly-rpo - resource: daily-policy - kind: Policy - result: fail \ No newline at end of file +- kind: Policy + policy: k10-policy-hourly-rpo + resources: + - daily-policy + result: fail + rule: k10-policy-hourly-rpo diff --git a/kasten/k10-immutable-location-profile/kyverno-test.yaml b/kasten/k10-immutable-location-profile/kyverno-test.yaml index bb568b5ba..3af24a913 100644 --- a/kasten/k10-immutable-location-profile/kyverno-test.yaml +++ b/kasten/k10-immutable-location-profile/kyverno-test.yaml @@ -1,16 +1,18 @@ name: kyverno_data_protection_tests policies: - - k10-immutable-location-profile.yaml +- k10-immutable-location-profile.yaml resources: - - immutable-location-profile.yaml +- immutable-location-profile.yaml results: -- policy: k10-immutable-location-profile - rule: k10-immutable-location-profile - resource: sample-location-profile - kind: Profile +- kind: Profile + policy: k10-immutable-location-profile + resources: + - sample-location-profile result: pass -- policy: k10-immutable-location-profile rule: k10-immutable-location-profile - resource: sample-location-profile-invalid - kind: Profile +- kind: Profile + policy: k10-immutable-location-profile + resources: + - sample-location-profile-invalid result: fail + rule: k10-immutable-location-profile diff --git a/kasten/k10-minimum-retention/kyverno-test.yaml b/kasten/k10-minimum-retention/kyverno-test.yaml index 888343879..285d9be6c 100644 --- a/kasten/k10-minimum-retention/kyverno-test.yaml +++ b/kasten/k10-minimum-retention/kyverno-test.yaml @@ -1,12 +1,13 @@ name: kyverno_data_protection_tests policies: - - k10-minimum-retention.yaml +- k10-minimum-retention.yaml resources: - - backup-export-policy.yaml +- backup-export-policy.yaml results: -- policy: k10-minimum-retention - rule: k10-minimum-retention - resource: hourly-policy - kind: Policy +- kind: Policy patchedResource: patched.yaml + policy: k10-minimum-retention + resources: + - hourly-policy result: pass + rule: k10-minimum-retention diff --git a/kasten/k10-validate-ns-by-preset-label/kyverno-test.yaml b/kasten/k10-validate-ns-by-preset-label/kyverno-test.yaml index a261cae6f..0f6b64f6c 100644 --- a/kasten/k10-validate-ns-by-preset-label/kyverno-test.yaml +++ b/kasten/k10-validate-ns-by-preset-label/kyverno-test.yaml @@ -1,31 +1,36 @@ name: k10-validate-ns-by-preset-label-test policies: - - k10-validate-ns-by-preset-label.yaml +- k10-validate-ns-by-preset-label.yaml resources: - - test-resource.yaml +- test-resource.yaml results: -- policy: k10-validate-ns-by-preset-label - rule: k10-validate-ns-by-preset-label - resource: namespace-gold - kind: Namespace +- kind: Namespace + policy: k10-validate-ns-by-preset-label + resources: + - namespace-gold result: pass -- policy: k10-validate-ns-by-preset-label rule: k10-validate-ns-by-preset-label - resource: namespace-silver - kind: Namespace +- kind: Namespace + policy: k10-validate-ns-by-preset-label + resources: + - namespace-silver result: pass -- policy: k10-validate-ns-by-preset-label rule: k10-validate-ns-by-preset-label - resource: namespace-bronze - kind: Namespace +- kind: Namespace + policy: k10-validate-ns-by-preset-label + resources: + - namespace-bronze result: pass -- policy: k10-validate-ns-by-preset-label rule: k10-validate-ns-by-preset-label - resource: namespace-none - kind: Namespace +- kind: Namespace + policy: k10-validate-ns-by-preset-label + resources: + - namespace-none result: pass -- policy: k10-validate-ns-by-preset-label rule: k10-validate-ns-by-preset-label - resource: namespace-invalid - kind: Namespace +- kind: Namespace + policy: k10-validate-ns-by-preset-label + resources: + - namespace-invalid result: fail + rule: k10-validate-ns-by-preset-label diff --git a/kubecost/enable-kubecost-continuous-rightsizing/kyverno-test.yaml b/kubecost/enable-kubecost-continuous-rightsizing/kyverno-test.yaml index 4bf6d3647..1dd050697 100644 --- a/kubecost/enable-kubecost-continuous-rightsizing/kyverno-test.yaml +++ b/kubecost/enable-kubecost-continuous-rightsizing/kyverno-test.yaml @@ -1,17 +1,19 @@ name: enable-kubecost-continuous-rightsizing policies: - - enable-kubecost-continuous-rightsizing.yaml +- enable-kubecost-continuous-rightsizing.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: enable-kubecost-continuous-rightsizing - rule: enable-kubecost-autoscaling - resource: deploy01 - kind: Deployment - result: skip - - policy: enable-kubecost-continuous-rightsizing - rule: enable-kubecost-autoscaling - resource: deploy02 - patchedResource: patchedResource1.yaml - kind: Deployment - result: pass +- kind: Deployment + policy: enable-kubecost-continuous-rightsizing + resources: + - deploy01 + result: skip + rule: enable-kubecost-autoscaling +- kind: Deployment + patchedResource: patchedResource1.yaml + policy: enable-kubecost-continuous-rightsizing + resources: + - deploy02 + result: pass + rule: enable-kubecost-autoscaling diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/kyverno-test.yaml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/kyverno-test.yaml index ed6e76bcf..f12af650a 100644 --- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/kyverno-test.yaml +++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/kyverno-test.yaml @@ -1,36 +1,42 @@ name: disallow_nginx_custom_snippets policies: - - disallow-ingress-nginx-custom-snippets.yaml +- disallow-ingress-nginx-custom-snippets.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: disallow-ingress-nginx-custom-snippets - rule: check-config-map - resource: config-map-true - kind: ConfigMap - result: fail - - policy: disallow-ingress-nginx-custom-snippets - rule: check-config-map - resource: config-map-false - kind: ConfigMap - result: pass - - policy: disallow-ingress-nginx-custom-snippets - rule: check-config-map - resource: config-map-other - kind: ConfigMap - result: pass - - policy: disallow-ingress-nginx-custom-snippets - rule: check-config-map - resource: config-map-empty - kind: ConfigMap - result: pass - - policy: disallow-ingress-nginx-custom-snippets - rule: check-ingress-annotations - resource: cafe-ingress-with-snippets - kind: Ingress - result: fail - - policy: disallow-ingress-nginx-custom-snippets - rule: check-ingress-annotations - resource: cafe-ingress - kind: Ingress - result: pass +- kind: ConfigMap + policy: disallow-ingress-nginx-custom-snippets + resources: + - config-map-true + result: fail + rule: check-config-map +- kind: ConfigMap + policy: disallow-ingress-nginx-custom-snippets + resources: + - config-map-false + result: pass + rule: check-config-map +- kind: ConfigMap + policy: disallow-ingress-nginx-custom-snippets + resources: + - config-map-other + result: pass + rule: check-config-map +- kind: ConfigMap + policy: disallow-ingress-nginx-custom-snippets + resources: + - config-map-empty + result: pass + rule: check-config-map +- kind: Ingress + policy: disallow-ingress-nginx-custom-snippets + resources: + - cafe-ingress-with-snippets + result: fail + rule: check-ingress-annotations +- kind: Ingress + policy: disallow-ingress-nginx-custom-snippets + resources: + - cafe-ingress + result: pass + rule: check-ingress-annotations diff --git a/nginx-ingress/restrict-annotations/kyverno-test.yaml b/nginx-ingress/restrict-annotations/kyverno-test.yaml index 0442bf25a..284df3a23 100644 --- a/nginx-ingress/restrict-annotations/kyverno-test.yaml +++ b/nginx-ingress/restrict-annotations/kyverno-test.yaml @@ -1,41 +1,48 @@ name: restrict-annotations policies: - - restrict-annotations.yaml +- restrict-annotations.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: restrict-annotations - rule: check-ingress - resource: no-annotations - kind: Ingress - result: pass - - policy: restrict-annotations - rule: check-ingress - resource: good-annotations - kind: Ingress - result: pass - - policy: restrict-annotations - rule: check-ingress - resource: alias - kind: Ingress - result: fail - - policy: restrict-annotations - rule: check-ingress - resource: root - kind: Ingress - result: fail - - policy: restrict-annotations - rule: check-ingress - resource: etc-passwd - kind: Ingress - result: fail - - policy: restrict-annotations - rule: check-ingress - resource: var-run-secrets - kind: Ingress - result: fail - - policy: restrict-annotations - rule: check-ingress - resource: lua - kind: Ingress - result: fail +- kind: Ingress + policy: restrict-annotations + resources: + - no-annotations + result: pass + rule: check-ingress +- kind: Ingress + policy: restrict-annotations + resources: + - good-annotations + result: pass + rule: check-ingress +- kind: Ingress + policy: restrict-annotations + resources: + - alias + result: fail + rule: check-ingress +- kind: Ingress + policy: restrict-annotations + resources: + - root + result: fail + rule: check-ingress +- kind: Ingress + policy: restrict-annotations + resources: + - etc-passwd + result: fail + rule: check-ingress +- kind: Ingress + policy: restrict-annotations + resources: + - var-run-secrets + result: fail + rule: check-ingress +- kind: Ingress + policy: restrict-annotations + resources: + - lua + result: fail + rule: check-ingress diff --git a/nginx-ingress/restrict-ingress-paths/kyverno-test.yaml b/nginx-ingress/restrict-ingress-paths/kyverno-test.yaml index 084236095..94df8ebb4 100644 --- a/nginx-ingress/restrict-ingress-paths/kyverno-test.yaml +++ b/nginx-ingress/restrict-ingress-paths/kyverno-test.yaml @@ -1,31 +1,36 @@ name: restrict-annotations policies: - - restrict-ingress-paths.yaml +- restrict-ingress-paths.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: restrict-ingress-paths - rule: check-paths - resource: good-paths - kind: Ingress - result: pass - - policy: restrict-ingress-paths - rule: check-paths - resource: bad-path-root - kind: Ingress - result: fail - - policy: restrict-ingress-paths - rule: check-paths - resource: bad-path-etc - kind: Ingress - result: fail - - policy: restrict-ingress-paths - rule: check-paths - resource: bad-path-serviceaccount - kind: Ingress - result: fail - - policy: restrict-ingress-paths - rule: check-paths - resource: bad-path-secrets - kind: Ingress - result: fail \ No newline at end of file +- kind: Ingress + policy: restrict-ingress-paths + resources: + - good-paths + result: pass + rule: check-paths +- kind: Ingress + policy: restrict-ingress-paths + resources: + - bad-path-root + result: fail + rule: check-paths +- kind: Ingress + policy: restrict-ingress-paths + resources: + - bad-path-etc + result: fail + rule: check-paths +- kind: Ingress + policy: restrict-ingress-paths + resources: + - bad-path-serviceaccount + result: fail + rule: check-paths +- kind: Ingress + policy: restrict-ingress-paths + resources: + - bad-path-secrets + result: fail + rule: check-paths diff --git a/openshift/check-routes/kyverno-test.yaml b/openshift/check-routes/kyverno-test.yaml index 83bbbe6a0..bf9d06554 100644 --- a/openshift/check-routes/kyverno-test.yaml +++ b/openshift/check-routes/kyverno-test.yaml @@ -1,26 +1,30 @@ name: check-routes policies: - - check-routes.yaml +- check-routes.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: check-routes - rule: require-tls-routes - resource: hello-openshift-http - kind: Route - result: fail - - policy: check-routes - rule: require-tls-routes - resource: frontend - kind: Route - result: pass - - policy: check-routes - rule: require-tls-routes - resource: frontend-edge - kind: Route - result: pass - - policy: check-routes - rule: require-tls-routes - resource: route-passthrough-secured - kind: Route - result: pass \ No newline at end of file +- kind: Route + policy: check-routes + resources: + - hello-openshift-http + result: fail + rule: require-tls-routes +- kind: Route + policy: check-routes + resources: + - frontend + result: pass + rule: require-tls-routes +- kind: Route + policy: check-routes + resources: + - frontend-edge + result: pass + rule: require-tls-routes +- kind: Route + policy: check-routes + resources: + - route-passthrough-secured + result: pass + rule: require-tls-routes diff --git a/openshift/disallow-deprecated-apis/kyverno-test.yaml b/openshift/disallow-deprecated-apis/kyverno-test.yaml index bf0fef506..5ce2cdafa 100644 --- a/openshift/disallow-deprecated-apis/kyverno-test.yaml +++ b/openshift/disallow-deprecated-apis/kyverno-test.yaml @@ -1,46 +1,30 @@ name: check-routes policies: - - disallow-deprecated-apis.yaml +- disallow-deprecated-apis.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: disallow-deprecated-apis - rule: check-deprecated-apis - resource: openshift-cluster-role-deprecated - kind: ClusterRole - result: fail - - policy: disallow-deprecated-apis - rule: check-deprecated-apis - resource: openshift-cluster-role-binding-deprecated - kind: ClusterRoleBinding - result: fail - - policy: disallow-deprecated-apis - rule: check-deprecated-apis - resource: openshift-role-deprecated - kind: Role - result: fail - - policy: disallow-deprecated-apis - rule: check-deprecated-apis - resource: openshift-role-binding-deprecated - kind: RoleBinding - result: fail - # - policy: disallow-deprecated-apis - # rule: check-deprecated-apis - # resource: openshift-cluster-role-valid - # kind: ClusterRole - # result: skip - # - policy: disallow-deprecated-apis - # rule: check-deprecated-apis - # resource: openshift-cluster-role-binding - # kind: ClusterRoleBinding - # result: skip - # - policy: disallow-deprecated-apis - # rule: check-deprecated-apis - # resource: openshift-role - # kind: Role - # result: skip - # - policy: disallow-deprecated-apis - # rule: check-deprecated-apis - # resource: openshift-role-binding - # kind: RoleBinding - # result: skip +- kind: ClusterRole + policy: disallow-deprecated-apis + resources: + - openshift-cluster-role-deprecated + result: fail + rule: check-deprecated-apis +- kind: ClusterRoleBinding + policy: disallow-deprecated-apis + resources: + - openshift-cluster-role-binding-deprecated + result: fail + rule: check-deprecated-apis +- kind: Role + policy: disallow-deprecated-apis + resources: + - openshift-role-deprecated + result: fail + rule: check-deprecated-apis +- kind: RoleBinding + policy: disallow-deprecated-apis + resources: + - openshift-role-binding-deprecated + result: fail + rule: check-deprecated-apis diff --git a/openshift/disallow-jenkins-pipeline-strategy/kyverno-test.yaml b/openshift/disallow-jenkins-pipeline-strategy/kyverno-test.yaml index c8c68a40e..433ae5430 100644 --- a/openshift/disallow-jenkins-pipeline-strategy/kyverno-test.yaml +++ b/openshift/disallow-jenkins-pipeline-strategy/kyverno-test.yaml @@ -1,26 +1,30 @@ name: check-policy policies: - - disallow-jenkins-pipeline-strategy.yaml +- disallow-jenkins-pipeline-strategy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: disallow-jenkins-pipeline-strategy - rule: check-build-strategy - resource: sample-jenkins-pipeline - kind: BuildConfig - result: fail - - policy: disallow-jenkins-pipeline-strategy - rule: check-build-strategy - resource: sample-pipeline-no-jenkins - kind: BuildConfig - result: pass - - policy: disallow-jenkins-pipeline-strategy - rule: check-build-strategy - resource: sample-jenkins-pipeline-new - kind: BuildConfig - result: fail - - policy: disallow-jenkins-pipeline-strategy - rule: check-build-strategy - resource: sample-pipeline-no-jenkins-new - kind: BuildConfig - result: pass +- kind: BuildConfig + policy: disallow-jenkins-pipeline-strategy + resources: + - sample-jenkins-pipeline + result: fail + rule: check-build-strategy +- kind: BuildConfig + policy: disallow-jenkins-pipeline-strategy + resources: + - sample-pipeline-no-jenkins + result: pass + rule: check-build-strategy +- kind: BuildConfig + policy: disallow-jenkins-pipeline-strategy + resources: + - sample-jenkins-pipeline-new + result: fail + rule: check-build-strategy +- kind: BuildConfig + policy: disallow-jenkins-pipeline-strategy + resources: + - sample-pipeline-no-jenkins-new + result: pass + rule: check-build-strategy diff --git a/openshift/disallow-security-context-constraint-anyuid/kyverno-test.yaml b/openshift/disallow-security-context-constraint-anyuid/kyverno-test.yaml index 37abd414c..d647a2e33 100644 --- a/openshift/disallow-security-context-constraint-anyuid/kyverno-test.yaml +++ b/openshift/disallow-security-context-constraint-anyuid/kyverno-test.yaml @@ -1,56 +1,66 @@ name: check-routes policies: - - disallow-security-context-constraint-anyuid.yaml +- disallow-security-context-constraint-anyuid.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-constraint - resource: pod-role-anyuid-use - kind: Role - result: fail - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-constraint - resource: pod-role - kind: Role - result: pass - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-constraint - resource: pod-role-anyuid-all - kind: Role - result: fail - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-constraint - resource: secret-reader-anyuid-use - kind: ClusterRole - result: fail - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-constraint - resource: secret-reader - kind: ClusterRole - result: pass - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-constraint - resource: secret-reader-anyuid-all - kind: ClusterRole - result: fail - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-roleref - resource: rolebinding-anyuid - kind: RoleBinding - result: fail - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-roleref - resource: clusterrolebinding-anyuid - kind: ClusterRoleBinding - result: fail - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-roleref - resource: rolebinding-test - kind: RoleBinding - result: pass - - policy: disallow-security-context-constraint-anyuid - rule: check-security-context-roleref - resource: clusterrolebinding-test - kind: ClusterRoleBinding - result: pass +- kind: Role + policy: disallow-security-context-constraint-anyuid + resources: + - pod-role-anyuid-use + result: fail + rule: check-security-context-constraint +- kind: Role + policy: disallow-security-context-constraint-anyuid + resources: + - pod-role + result: pass + rule: check-security-context-constraint +- kind: Role + policy: disallow-security-context-constraint-anyuid + resources: + - pod-role-anyuid-all + result: fail + rule: check-security-context-constraint +- kind: ClusterRole + policy: disallow-security-context-constraint-anyuid + resources: + - secret-reader-anyuid-use + result: fail + rule: check-security-context-constraint +- kind: ClusterRole + policy: disallow-security-context-constraint-anyuid + resources: + - secret-reader + result: pass + rule: check-security-context-constraint +- kind: ClusterRole + policy: disallow-security-context-constraint-anyuid + resources: + - secret-reader-anyuid-all + result: fail + rule: check-security-context-constraint +- kind: RoleBinding + policy: disallow-security-context-constraint-anyuid + resources: + - rolebinding-anyuid + result: fail + rule: check-security-context-roleref +- kind: ClusterRoleBinding + policy: disallow-security-context-constraint-anyuid + resources: + - clusterrolebinding-anyuid + result: fail + rule: check-security-context-roleref +- kind: RoleBinding + policy: disallow-security-context-constraint-anyuid + resources: + - rolebinding-test + result: pass + rule: check-security-context-roleref +- kind: ClusterRoleBinding + policy: disallow-security-context-constraint-anyuid + resources: + - clusterrolebinding-test + result: pass + rule: check-security-context-roleref diff --git a/openshift/disallow-self-provisioner-binding/kyverno-test.yaml b/openshift/disallow-self-provisioner-binding/kyverno-test.yaml index 3dd2eac70..b87c7e66a 100644 --- a/openshift/disallow-self-provisioner-binding/kyverno-test.yaml +++ b/openshift/disallow-self-provisioner-binding/kyverno-test.yaml @@ -1,27 +1,31 @@ name: check-routes policies: - - disallow-self-provisioner-binding.yaml +- disallow-self-provisioner-binding.yaml resources: - - resources.yaml -variables: values.yaml +- resources.yaml results: - - policy: disallow-self-provisioner-binding - rule: check-self-provisioner-binding-no-subject - resource: self-provisioners - kind: ClusterRoleBinding - result: pass - - policy: disallow-self-provisioner-binding - rule: check-self-provisioner-binding-with-subject - resource: self-provisioners-custom - kind: ClusterRoleBinding - result: fail - - policy: disallow-self-provisioner-binding - rule: check-self-provisioner-binding-with-subject - resource: self-provisioners-custom-test - kind: ClusterRoleBinding - result: fail - - policy: disallow-self-provisioner-binding - rule: check-self-provisioner-binding-with-subject - resource: system:openshift:scc:privileged - kind: ClusterRoleBinding - result: pass +- kind: ClusterRoleBinding + policy: disallow-self-provisioner-binding + resources: + - self-provisioners + result: pass + rule: check-self-provisioner-binding-no-subject +- kind: ClusterRoleBinding + policy: disallow-self-provisioner-binding + resources: + - self-provisioners-custom + result: fail + rule: check-self-provisioner-binding-with-subject +- kind: ClusterRoleBinding + policy: disallow-self-provisioner-binding + resources: + - self-provisioners-custom-test + result: fail + rule: check-self-provisioner-binding-with-subject +- kind: ClusterRoleBinding + policy: disallow-self-provisioner-binding + resources: + - system:openshift:scc:privileged + result: pass + rule: check-self-provisioner-binding-with-subject +variables: values.yaml diff --git a/openshift/enforce-etcd-encryption/kyverno-test.yaml b/openshift/enforce-etcd-encryption/kyverno-test.yaml index e7da3850f..2b263afac 100644 --- a/openshift/enforce-etcd-encryption/kyverno-test.yaml +++ b/openshift/enforce-etcd-encryption/kyverno-test.yaml @@ -1,16 +1,18 @@ name: check-policy policies: - - enforce-etcd-encryption.yaml +- enforce-etcd-encryption.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: enforce-etcd-encryption - rule: check-etcd-encryption - resource: cluster-no-encryption - kind: APIServer - result: fail - - policy: enforce-etcd-encryption - rule: check-etcd-encryption - resource: cluster-with-encryption - kind: APIServer - result: pass +- kind: APIServer + policy: enforce-etcd-encryption + resources: + - cluster-no-encryption + result: fail + rule: check-etcd-encryption +- kind: APIServer + policy: enforce-etcd-encryption + resources: + - cluster-with-encryption + result: pass + rule: check-etcd-encryption diff --git a/openshift/team-validate-ns-name/kyverno-test.yaml b/openshift/team-validate-ns-name/kyverno-test.yaml index a93a72d0d..2f830fbe4 100644 --- a/openshift/team-validate-ns-name/kyverno-test.yaml +++ b/openshift/team-validate-ns-name/kyverno-test.yaml @@ -1,16 +1,12 @@ name: team-validate-ns-name policies: - - team-validate-ns-name.yaml +- team-validate-ns-name.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: team-validate-ns-name - rule: team-validate-ns-name - resource: team1-test - kind: Namespace - result: pass - # - policy: team-validate-ns-name - # rule: team-validate-ns-name - # resource: test-namespace - # kind: Namespace - # result: fail +- kind: Namespace + policy: team-validate-ns-name + resources: + - team1-test + result: pass + rule: team-validate-ns-name diff --git a/openshift/unique-routes/kyverno-test.yaml b/openshift/unique-routes/kyverno-test.yaml index 0dfc1ed7a..e8656766e 100644 --- a/openshift/unique-routes/kyverno-test.yaml +++ b/openshift/unique-routes/kyverno-test.yaml @@ -1,18 +1,19 @@ ---- name: unique-routes-tests policies: - - unique-routes.yaml +- unique-routes.yaml resources: - - resources.yaml -variables: mock.yaml +- resources.yaml results: - - policy: unique-routes - rule: require-unique-routes - resource: hello-openshift-good - kind: Route - result: pass - - policy: unique-routes - rule: require-unique-routes - resource: hello-openshift-bad - kind: Route - result: fail +- kind: Route + policy: unique-routes + resources: + - hello-openshift-good + result: pass + rule: require-unique-routes +- kind: Route + policy: unique-routes + resources: + - hello-openshift-bad + result: fail + rule: require-unique-routes +variables: mock.yaml diff --git a/other/a/add-certificates-volume/kyverno-test.yaml b/other/a/add-certificates-volume/kyverno-test.yaml index 1f3e8e17d..6e7258ce0 100644 --- a/other/a/add-certificates-volume/kyverno-test.yaml +++ b/other/a/add-certificates-volume/kyverno-test.yaml @@ -1,12 +1,13 @@ name: add-volume policies: - - add-certificates-volume.yaml +- add-certificates-volume.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-certificates-volume - rule: add-ssl-certs - resource: mypod - patchedResource: patchedResource.yaml - kind: Pod - result: pass +- kind: Pod + patchedResource: patchedResource.yaml + policy: add-certificates-volume + resources: + - mypod + result: pass + rule: add-ssl-certs diff --git a/other/a/add-default-resources/kyverno-test.yaml b/other/a/add-default-resources/kyverno-test.yaml index 1007774b9..1ae3faa92 100644 --- a/other/a/add-default-resources/kyverno-test.yaml +++ b/other/a/add-default-resources/kyverno-test.yaml @@ -1,25 +1,27 @@ name: add-default-resources policies: - - add-default-resources.yaml +- add-default-resources.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-default-resources - rule: add-default-requests - resource: nginx-demo1 - patchedResource: patchedResource1.yaml - kind: Pod - result: pass -# nginx-demo2 will get skip as resource already has memory and cpu requests - - policy: add-default-resources - rule: add-default-requests - resource: nginx-demo2 - patchedResource: patchedResource2.yaml - kind: Pod - result: skip - - policy: add-default-resources - rule: add-default-requests - resource: nginx-demo3 - patchedResource: patchedResource3.yaml - kind: Pod - result: pass +- kind: Pod + patchedResource: patchedResource1.yaml + policy: add-default-resources + resources: + - nginx-demo1 + result: pass + rule: add-default-requests +- kind: Pod + patchedResource: patchedResource2.yaml + policy: add-default-resources + resources: + - nginx-demo2 + result: skip + rule: add-default-requests +- kind: Pod + patchedResource: patchedResource3.yaml + policy: add-default-resources + resources: + - nginx-demo3 + result: pass + rule: add-default-requests diff --git a/other/a/add-default-securitycontext/kyverno-test.yaml b/other/a/add-default-securitycontext/kyverno-test.yaml index 4c0e4f040..bf67c18e8 100644 --- a/other/a/add-default-securitycontext/kyverno-test.yaml +++ b/other/a/add-default-securitycontext/kyverno-test.yaml @@ -1,12 +1,13 @@ name: add-default-securitycontext policies: - - add-default-securitycontext.yaml +- add-default-securitycontext.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-default-securitycontext - rule: add-default-securitycontext - resource: myapp-pod - patchedResource: patchedResource.yaml - kind: Pod - result: pass +- kind: Pod + patchedResource: patchedResource.yaml + policy: add-default-securitycontext + resources: + - myapp-pod + result: pass + rule: add-default-securitycontext diff --git a/other/a/add-env-vars-from-cm/kyverno-test.yaml b/other/a/add-env-vars-from-cm/kyverno-test.yaml index 42b96c456..9a41fde43 100644 --- a/other/a/add-env-vars-from-cm/kyverno-test.yaml +++ b/other/a/add-env-vars-from-cm/kyverno-test.yaml @@ -1,12 +1,13 @@ name: add-env-vars-from-cm policies: - - add-env-vars-from-cm.yaml +- add-env-vars-from-cm.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-env-vars-from-cm - rule: add-env-vars-from-cm - resource: mypod - patchedResource: patchedResource01.yaml - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + patchedResource: patchedResource01.yaml + policy: add-env-vars-from-cm + resources: + - mypod + result: pass + rule: add-env-vars-from-cm diff --git a/other/a/add-image-as-env-var/kyverno-test.yaml b/other/a/add-image-as-env-var/kyverno-test.yaml index ce4e08041..98ee9a180 100644 --- a/other/a/add-image-as-env-var/kyverno-test.yaml +++ b/other/a/add-image-as-env-var/kyverno-test.yaml @@ -1,24 +1,27 @@ name: add-image-as-env-var policies: - - add-image-as-env-var.yaml +- add-image-as-env-var.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-image-as-env-var - rule: pod-containers-inject-image - resource: pod01 - patchedResource: patched-pod01.yaml - kind: Pod - result: pass - - policy: add-image-as-env-var - rule: pod-containers-inject-image - resource: pod02 - patchedResource: patched-pod02.yaml - kind: Pod - result: pass - - policy: add-image-as-env-var - rule: pod-containers-inject-image - resource: pod03 - patchedResource: patched-pod03.yaml - kind: Pod - result: pass +- kind: Pod + patchedResource: patched-pod01.yaml + policy: add-image-as-env-var + resources: + - pod01 + result: pass + rule: pod-containers-inject-image +- kind: Pod + patchedResource: patched-pod02.yaml + policy: add-image-as-env-var + resources: + - pod02 + result: pass + rule: pod-containers-inject-image +- kind: Pod + patchedResource: patched-pod03.yaml + policy: add-image-as-env-var + resources: + - pod03 + result: pass + rule: pod-containers-inject-image diff --git a/other/a/add-imagepullsecrets-for-containers-and-initcontainers/kyverno-test.yaml b/other/a/add-imagepullsecrets-for-containers-and-initcontainers/kyverno-test.yaml index 5acc5859f..b3796df8f 100644 --- a/other/a/add-imagepullsecrets-for-containers-and-initcontainers/kyverno-test.yaml +++ b/other/a/add-imagepullsecrets-for-containers-and-initcontainers/kyverno-test.yaml @@ -1,37 +1,34 @@ name: add-imagepullsecrets-for-containers-and-initcontainers policies: - - add-imagepullsecrets-for-containers-and-initcontainers.yaml +- add-imagepullsecrets-for-containers-and-initcontainers.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-imagepullsecrets-for-containers-and-initcontainers - rule: add-imagepullsecret - resource: myapp-pod-1 - patchedResource: patchedResource1.yaml - kind: Pod - result: pass - - - policy: add-imagepullsecrets-for-containers-and-initcontainers - rule: add-imagepullsecret - resource: myapp-pod-2 - patchedResource: patchedResource2.yaml - kind: Pod - result: pass - -# this will be skip because resource already has imagePullSecrets - - policy: add-imagepullsecrets-for-containers-and-initcontainers - rule: add-imagepullsecret - resource: myapp-pod-3 - patchedResource: patchedResource3.yaml - kind: Pod - result: skip - -# this will be skip because resource image doesn't have registry 'corp.reg.com' - - policy: add-imagepullsecrets-for-containers-and-initcontainers - rule: add-imagepullsecret - resource: myapp-pod-4 - patchedResource: patchedResource4.yaml - kind: Pod - result: skip - - \ No newline at end of file +- kind: Pod + patchedResource: patchedResource1.yaml + policy: add-imagepullsecrets-for-containers-and-initcontainers + resources: + - myapp-pod-1 + result: pass + rule: add-imagepullsecret +- kind: Pod + patchedResource: patchedResource2.yaml + policy: add-imagepullsecrets-for-containers-and-initcontainers + resources: + - myapp-pod-2 + result: pass + rule: add-imagepullsecret +- kind: Pod + patchedResource: patchedResource3.yaml + policy: add-imagepullsecrets-for-containers-and-initcontainers + resources: + - myapp-pod-3 + result: skip + rule: add-imagepullsecret +- kind: Pod + patchedResource: patchedResource4.yaml + policy: add-imagepullsecrets-for-containers-and-initcontainers + resources: + - myapp-pod-4 + result: skip + rule: add-imagepullsecret diff --git a/other/a/add-imagepullsecrets/kyverno-test.yaml b/other/a/add-imagepullsecrets/kyverno-test.yaml index fd8927f57..8fbbc7b82 100644 --- a/other/a/add-imagepullsecrets/kyverno-test.yaml +++ b/other/a/add-imagepullsecrets/kyverno-test.yaml @@ -1,25 +1,27 @@ name: add-imagepullsecrets policies: - - add-imagepullsecrets.yaml +- add-imagepullsecrets.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-imagepullsecrets - rule: add-imagepullsecret - resource: myapp-pod-1 - patchedResource: patchedResource1.yaml - kind: Pod - result: pass - # result should be skip - - policy: add-imagepullsecrets - rule: add-imagepullsecret - resource: myapp-pod-2 - patchedResource: patchedResource2.yaml - kind: Pod - result: skip - - policy: add-imagepullsecrets - rule: add-imagepullsecret - resource: myapp-pod-3 - patchedResource: patchedResource3.yaml - kind: Pod - result: skip \ No newline at end of file +- kind: Pod + patchedResource: patchedResource1.yaml + policy: add-imagepullsecrets + resources: + - myapp-pod-1 + result: pass + rule: add-imagepullsecret +- kind: Pod + patchedResource: patchedResource2.yaml + policy: add-imagepullsecrets + resources: + - myapp-pod-2 + result: skip + rule: add-imagepullsecret +- kind: Pod + patchedResource: patchedResource3.yaml + policy: add-imagepullsecrets + resources: + - myapp-pod-3 + result: skip + rule: add-imagepullsecret diff --git a/other/a/add-labels/kyverno-test.yaml b/other/a/add-labels/kyverno-test.yaml index 3252bdb7d..e92576dac 100644 --- a/other/a/add-labels/kyverno-test.yaml +++ b/other/a/add-labels/kyverno-test.yaml @@ -1,20 +1,22 @@ name: add-labels policies: - - add-labels.yaml +- add-labels.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-labels - rule: add-labels - resource: myapp-pod - patchedResource: patchedResource.yaml - kind: Pod - namespace: default - result: pass - - policy: add-labels - rule: add-labels - resource: my-service - patchedResource: patchedResource1.yaml - kind: Service - namespace: default - result: pass +- kind: Pod + namespace: default + patchedResource: patchedResource.yaml + policy: add-labels + resources: + - myapp-pod + result: pass + rule: add-labels +- kind: Service + namespace: default + patchedResource: patchedResource1.yaml + policy: add-labels + resources: + - my-service + result: pass + rule: add-labels diff --git a/other/a/add-ndots/kyverno-test.yaml b/other/a/add-ndots/kyverno-test.yaml index 9c3da29e7..924a178b9 100644 --- a/other/a/add-ndots/kyverno-test.yaml +++ b/other/a/add-ndots/kyverno-test.yaml @@ -1,13 +1,14 @@ name: add-ndots policies: - - add-ndots.yaml +- add-ndots.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-ndots - rule: add-ndots - resource: myapp-pod - patchedResource: patchedResource.yaml - kind: Pod - namespace: default - result: pass +- kind: Pod + namespace: default + patchedResource: patchedResource.yaml + policy: add-ndots + resources: + - myapp-pod + result: pass + rule: add-ndots diff --git a/other/a/add-node-affinity/kyverno-test.yaml b/other/a/add-node-affinity/kyverno-test.yaml index 3f395e01a..da18cd01b 100644 --- a/other/a/add-node-affinity/kyverno-test.yaml +++ b/other/a/add-node-affinity/kyverno-test.yaml @@ -1,12 +1,13 @@ name: add-node-affinity policies: - - add-node-affinity.yaml +- add-node-affinity.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-node-affinity - rule: add-node-affinity-deployment - resource: tomcat-deployment - patchedResource: patchedResource.yaml - kind: Deployment - result: pass +- kind: Deployment + patchedResource: patchedResource.yaml + policy: add-node-affinity + resources: + - tomcat-deployment + result: pass + rule: add-node-affinity-deployment diff --git a/other/a/add-nodeSelector/kyverno-test.yaml b/other/a/add-nodeSelector/kyverno-test.yaml index 8c61e8388..1b0ec91f4 100644 --- a/other/a/add-nodeSelector/kyverno-test.yaml +++ b/other/a/add-nodeSelector/kyverno-test.yaml @@ -1,13 +1,14 @@ name: add-nodeselector policies: - - add-nodeSelector.yaml +- add-nodeSelector.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-nodeselector - rule: add-nodeselector - resource: myapp-pod - patchedResource: patchedResource.yaml - kind: Pod - namespace: default - result: pass \ No newline at end of file +- kind: Pod + namespace: default + patchedResource: patchedResource.yaml + policy: add-nodeselector + resources: + - myapp-pod + result: pass + rule: add-nodeselector diff --git a/other/a/add-pod-priorityclassname/kyverno-test.yaml b/other/a/add-pod-priorityclassname/kyverno-test.yaml index f2bedfe70..67bc7ebfc 100644 --- a/other/a/add-pod-priorityclassname/kyverno-test.yaml +++ b/other/a/add-pod-priorityclassname/kyverno-test.yaml @@ -1,20 +1,15 @@ name: add-pod-priorityclassname policies: - - add-pod-priorityclassname.yaml +- add-pod-priorityclassname.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: add-pod-priorityclassname - rule: add-priorityclass-pods - resource: blank - kind: Pod - namespace: foo - patchedResource: patchedResource.yaml - result: pass - # - policy: add-pod-priorityclassname - # rule: add-priorityclass-pods - # resource: second - # kind: Pod - # namespace: production - # result: skip +- kind: Pod + namespace: foo + patchedResource: patchedResource.yaml + policy: add-pod-priorityclassname + resources: + - blank + result: pass + rule: add-priorityclass-pods +variables: values.yaml diff --git a/other/a/add-pod-proxies/kyverno-test.yaml b/other/a/add-pod-proxies/kyverno-test.yaml index ad6234cdc..8f06b7591 100644 --- a/other/a/add-pod-proxies/kyverno-test.yaml +++ b/other/a/add-pod-proxies/kyverno-test.yaml @@ -1,19 +1,20 @@ name: add-pod-proxies policies: - - add-pod-proxies.yaml +- add-pod-proxies.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-pod-proxies - rule: add-pod-proxies - resource: myapp-pod-1 - patchedResource: patchedResource1.yaml - kind: Pod - result: pass - # result should be skip - - policy: add-pod-proxies - rule: add-pod-proxies - resource: myapp-pod-2 - patchedResource: patchedResource2.yaml - kind: Pod - result: pass +- kind: Pod + patchedResource: patchedResource1.yaml + policy: add-pod-proxies + resources: + - myapp-pod-1 + result: pass + rule: add-pod-proxies +- kind: Pod + patchedResource: patchedResource2.yaml + policy: add-pod-proxies + resources: + - myapp-pod-2 + result: pass + rule: add-pod-proxies diff --git a/other/a/add-tolerations/kyverno-test.yaml b/other/a/add-tolerations/kyverno-test.yaml index 0c97a5ca0..01549eaef 100644 --- a/other/a/add-tolerations/kyverno-test.yaml +++ b/other/a/add-tolerations/kyverno-test.yaml @@ -4,20 +4,23 @@ policies: resources: - resource.yaml results: -- policy: add-tolerations - rule: service-toleration - resource: addpod01 - kind: Pod +- kind: Pod patchedResource: patched01.yaml + policy: add-tolerations + resources: + - addpod01 result: pass -- policy: add-tolerations rule: service-toleration - resource: addpod02 - kind: Pod +- kind: Pod patchedResource: patched02.yaml + policy: add-tolerations + resources: + - addpod02 result: pass -- policy: add-tolerations rule: service-toleration - resource: skippod01 - kind: Pod +- kind: Pod + policy: add-tolerations + resources: + - skippod01 result: skip + rule: service-toleration diff --git a/other/a/add-ttl-jobs/kyverno-test.yaml b/other/a/add-ttl-jobs/kyverno-test.yaml index c70315ca9..db4d3daae 100644 --- a/other/a/add-ttl-jobs/kyverno-test.yaml +++ b/other/a/add-ttl-jobs/kyverno-test.yaml @@ -4,19 +4,22 @@ policies: resources: - resource.yaml results: -- policy: add-ttl-jobs - rule: add-ttlSecondsAfterFinished - resource: addjob01 - kind: Job +- kind: Job patchedResource: patched01.yaml + policy: add-ttl-jobs + resources: + - addjob01 result: pass -- policy: add-ttl-jobs rule: add-ttlSecondsAfterFinished - resource: skipjob01 - kind: Job +- kind: Job + policy: add-ttl-jobs + resources: + - skipjob01 result: skip -- policy: add-ttl-jobs rule: add-ttlSecondsAfterFinished - resource: skipjob02 - kind: Job +- kind: Job + policy: add-ttl-jobs + resources: + - skipjob02 result: skip + rule: add-ttlSecondsAfterFinished diff --git a/other/a/add-volume-deployment/kyverno-test.yaml b/other/a/add-volume-deployment/kyverno-test.yaml index 532414160..3a3976cbb 100644 --- a/other/a/add-volume-deployment/kyverno-test.yaml +++ b/other/a/add-volume-deployment/kyverno-test.yaml @@ -1,12 +1,13 @@ name: add-volume policies: - - add-volume-deployment.yaml +- add-volume-deployment.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-volume - rule: add-volume - resource: mydeploy - patchedResource: patchedResource.yaml - kind: Deployment - result: pass +- kind: Deployment + patchedResource: patchedResource.yaml + policy: add-volume + resources: + - mydeploy + result: pass + rule: add-volume diff --git a/other/a/advanced-restrict-image-registries/kyverno-test.yaml b/other/a/advanced-restrict-image-registries/kyverno-test.yaml index ce44d82fd..b3ba77bc0 100644 --- a/other/a/advanced-restrict-image-registries/kyverno-test.yaml +++ b/other/a/advanced-restrict-image-registries/kyverno-test.yaml @@ -1,18 +1,19 @@ name: advanced-restrict-image-registries policies: - - advanced-restrict-image-registries.yaml +- advanced-restrict-image-registries.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: advanced-restrict-image-registries - rule: validate-corp-registries - resource: good-pod - kind: Pod - result: pass - - policy: advanced-restrict-image-registries - rule: validate-corp-registries - resource: bad-pod - kind: Pod - result: fail - \ No newline at end of file +- kind: Pod + policy: advanced-restrict-image-registries + resources: + - good-pod + result: pass + rule: validate-corp-registries +- kind: Pod + policy: advanced-restrict-image-registries + resources: + - bad-pod + result: fail + rule: validate-corp-registries +variables: values.yaml diff --git a/other/a/allowed-annotations/kyverno-test.yaml b/other/a/allowed-annotations/kyverno-test.yaml index 920bd6884..5ea0b39e3 100644 --- a/other/a/allowed-annotations/kyverno-test.yaml +++ b/other/a/allowed-annotations/kyverno-test.yaml @@ -1,16 +1,18 @@ name: allowed-annotations policies: - - allowed-annotations.yaml +- allowed-annotations.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: allowed-annotations - rule: allowed-fluxcd-annotations - resource: badpod01 - kind: Pod - result: fail - - policy: allowed-annotations - rule: allowed-fluxcd-annotations - resource: goodpod01 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: allowed-annotations + resources: + - badpod01 + result: fail + rule: allowed-fluxcd-annotations +- kind: Pod + policy: allowed-annotations + resources: + - goodpod01 + result: pass + rule: allowed-fluxcd-annotations diff --git a/other/a/allowed-label-changes/kyverno-test.yaml b/other/a/allowed-label-changes/kyverno-test.yaml index f19298afe..dbf90d70e 100644 --- a/other/a/allowed-label-changes/kyverno-test.yaml +++ b/other/a/allowed-label-changes/kyverno-test.yaml @@ -1,17 +1,19 @@ name: allowed-label-changes policies: - - allowed-label-changes.yaml +- allowed-label-changes.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: allowed-label-changes - rule: safe-label - resource: badpod01 - kind: Pod - result: fail - - policy: allowed-label-changes - rule: safe-label - resource: goodpod01 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: allowed-label-changes + resources: + - badpod01 + result: fail + rule: safe-label +- kind: Pod + policy: allowed-label-changes + resources: + - goodpod01 + result: pass + rule: safe-label +variables: values.yaml diff --git a/other/a/allowed-pod-priorities/kyverno-test.yaml b/other/a/allowed-pod-priorities/kyverno-test.yaml index ce9444f1a..e5d78dcf4 100644 --- a/other/a/allowed-pod-priorities/kyverno-test.yaml +++ b/other/a/allowed-pod-priorities/kyverno-test.yaml @@ -1,22 +1,25 @@ name: allowed-podpriorities policies: - - allowed-pod-priorities.yaml +- allowed-pod-priorities.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: allowed-podpriorities - rule: validate-pod-priority-pods - resource: myapp-pod - kind: Pod - result: pass - - policy: allowed-podpriorities - rule: validate-pod-priority - resource: mydeploy - kind: Deployment - result: fail - - policy: allowed-podpriorities - rule: validate-pod-priority-cronjob - resource: hello - kind: CronJob - result: pass \ No newline at end of file +- kind: Pod + policy: allowed-podpriorities + resources: + - myapp-pod + result: pass + rule: validate-pod-priority-pods +- kind: Deployment + policy: allowed-podpriorities + resources: + - mydeploy + result: fail + rule: validate-pod-priority +- kind: CronJob + policy: allowed-podpriorities + resources: + - hello + result: pass + rule: validate-pod-priority-cronjob +variables: values.yaml diff --git a/other/a/always-pull-images/kyverno-test.yaml b/other/a/always-pull-images/kyverno-test.yaml index d4c42ed69..67be39eb9 100644 --- a/other/a/always-pull-images/kyverno-test.yaml +++ b/other/a/always-pull-images/kyverno-test.yaml @@ -1,18 +1,20 @@ name: always-pull-images policies: - - always-pull-images.yaml +- always-pull-images.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: always-pull-images - rule: always-pull-images - resource: myapp-pod-1 - patchedResource: patchedResource1.yaml - kind: Pod - result: pass - - policy: always-pull-images - rule: always-pull-images - resource: myapp-pod-2 - patchedResource: patchedResource2.yaml - kind: Pod - result: skip +- kind: Pod + patchedResource: patchedResource1.yaml + policy: always-pull-images + resources: + - myapp-pod-1 + result: pass + rule: always-pull-images +- kind: Pod + patchedResource: patchedResource2.yaml + policy: always-pull-images + resources: + - myapp-pod-2 + result: skip + rule: always-pull-images diff --git a/other/a/apply-pss-restricted-profile/kyverno-test.yaml b/other/a/apply-pss-restricted-profile/kyverno-test.yaml index e9563ee81..1a09ba896 100644 --- a/other/a/apply-pss-restricted-profile/kyverno-test.yaml +++ b/other/a/apply-pss-restricted-profile/kyverno-test.yaml @@ -4,9 +4,10 @@ policies: resources: - resource.yaml results: -- policy: apply-pss-restricted-profile - rule: add-pss-fields - resource: mypod - kind: Pod +- kind: Pod patchedResource: mutatedmypod.yaml - result: pass \ No newline at end of file + policy: apply-pss-restricted-profile + resources: + - mypod + result: pass + rule: add-pss-fields diff --git a/other/b-d/block-images-with-volumes/kyverno-test.yaml b/other/b-d/block-images-with-volumes/kyverno-test.yaml index 28c8bfd10..6462b5af1 100644 --- a/other/b-d/block-images-with-volumes/kyverno-test.yaml +++ b/other/b-d/block-images-with-volumes/kyverno-test.yaml @@ -1,14 +1,14 @@ name: block-images-with-volumes policies: - - block-images-with-volumes.yaml +- block-images-with-volumes.yaml resources: - - good.yaml - - bad.yaml -variables: values.yaml +- good.yaml +- bad.yaml results: - - policy: block-images-with-volumes - rule: block-images-with-vols - resource: image-vol - kind: Pod - result: fail - \ No newline at end of file +- kind: Pod + policy: block-images-with-volumes + resources: + - image-vol + result: fail + rule: block-images-with-vols +variables: values.yaml diff --git a/other/b-d/block-large-images/kyverno-test.yaml b/other/b-d/block-large-images/kyverno-test.yaml index 06a089e95..c457c7c98 100644 --- a/other/b-d/block-large-images/kyverno-test.yaml +++ b/other/b-d/block-large-images/kyverno-test.yaml @@ -1,18 +1,14 @@ name: block-large-images policies: - - block-large-images.yaml +- block-large-images.yaml resources: - - good.yaml - - bad.yaml -variables: values.yaml +- good.yaml +- bad.yaml results: - # - policy: block-large-images - # rule: block-over-twogi - # resource: small-image - # kind: Pod - # result: pass - - policy: block-large-images - rule: block-over-twogi - resource: large-image - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + policy: block-large-images + resources: + - large-image + result: fail + rule: block-over-twogi +variables: values.yaml diff --git a/other/b-d/block-stale-images/kyverno-test.yaml b/other/b-d/block-stale-images/kyverno-test.yaml index 6b72a0e08..9e3b03abd 100644 --- a/other/b-d/block-stale-images/kyverno-test.yaml +++ b/other/b-d/block-stale-images/kyverno-test.yaml @@ -1,16 +1,14 @@ name: block-stale-images policies: - - block-stale-images.yaml +- block-stale-images.yaml resources: - - bad.yaml - - good.yaml -variables: values.yaml +- bad.yaml +- good.yaml results: - - policy: block-stale-images - rule: block-stale-images - resource: redis - kind: Pod - result: fail - - - \ No newline at end of file +- kind: Pod + policy: block-stale-images + resources: + - redis + result: fail + rule: block-stale-images +variables: values.yaml diff --git a/other/b-d/block-updates-deletes/kyverno-test.yaml b/other/b-d/block-updates-deletes/kyverno-test.yaml index b49ee8274..18cb10d0f 100644 --- a/other/b-d/block-updates-deletes/kyverno-test.yaml +++ b/other/b-d/block-updates-deletes/kyverno-test.yaml @@ -1,17 +1,19 @@ name: block-updates-deletes policies: - - block-updates-deletes.yaml +- block-updates-deletes.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: block-updates-deletes - rule: block-updates-deletes - resource: my-service-1 - kind: Service - result: pass - - policy: block-updates-deletes - rule: block-updates-deletes - resource: my-service-2 - kind: Service - result: fail \ No newline at end of file +- kind: Service + policy: block-updates-deletes + resources: + - my-service-1 + result: pass + rule: block-updates-deletes +- kind: Service + policy: block-updates-deletes + resources: + - my-service-2 + result: fail + rule: block-updates-deletes +variables: values.yaml diff --git a/other/b-d/check-env-vars/kyverno-test.yaml b/other/b-d/check-env-vars/kyverno-test.yaml index f3dbfc78d..9ba47b441 100644 --- a/other/b-d/check-env-vars/kyverno-test.yaml +++ b/other/b-d/check-env-vars/kyverno-test.yaml @@ -1,20 +1,19 @@ name: opa-env policies: - - check-env-vars.yaml +- check-env-vars.yaml resources: - - resource.yaml +- resource.yaml results: - ###### Pods - Bad - - policy: check-env-vars - rule: check-disable-opa - resource: pod-with-opa-enabled - kind: Pod - result: fail - ###### Pods - Good - - policy: check-env-vars - rule: check-disable-opa - resources: - - pod-with-opa-disabled - - pod-without-opa-env - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: check-env-vars + resources: + - pod-with-opa-enabled + result: fail + rule: check-disable-opa +- kind: Pod + policy: check-env-vars + resources: + - pod-with-opa-disabled + - pod-without-opa-env + result: pass + rule: check-disable-opa diff --git a/other/b-d/check-nvidia-gpu/kyverno-test.yaml b/other/b-d/check-nvidia-gpu/kyverno-test.yaml index ce8b06c22..5b9a6a278 100644 --- a/other/b-d/check-nvidia-gpu/kyverno-test.yaml +++ b/other/b-d/check-nvidia-gpu/kyverno-test.yaml @@ -1,33 +1,34 @@ name: check-nvidia-gpus policies: - - check-nvidia-gpu.yaml +- check-nvidia-gpu.yaml resources: - - good01.yaml - - good02.yaml - - good03.yaml - - bad.yaml -variables: values.yaml +- good01.yaml +- good02.yaml +- good03.yaml +- bad.yaml results: - - policy: check-nvidia-gpus - rule: check-nvidia-gpus - resource: goodpod01 - kind: Pod - result: fail - - - policy: check-nvidia-gpus - rule: check-nvidia-gpus - resource: goodpod02 - kind: Pod - result: pass - - - policy: check-nvidia-gpus - rule: check-nvidia-gpus - resource: goodpod03 - kind: Pod - result: pass - - - policy: check-nvidia-gpus - rule: check-nvidia-gpus - resource: badpod01 - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + policy: check-nvidia-gpus + resources: + - goodpod01 + result: fail + rule: check-nvidia-gpus +- kind: Pod + policy: check-nvidia-gpus + resources: + - goodpod02 + result: pass + rule: check-nvidia-gpus +- kind: Pod + policy: check-nvidia-gpus + resources: + - goodpod03 + result: pass + rule: check-nvidia-gpus +- kind: Pod + policy: check-nvidia-gpus + resources: + - badpod01 + result: fail + rule: check-nvidia-gpus +variables: values.yaml diff --git a/other/b-d/check-serviceaccount/kyverno-test.yaml b/other/b-d/check-serviceaccount/kyverno-test.yaml index 946d9842d..914619e74 100644 --- a/other/b-d/check-serviceaccount/kyverno-test.yaml +++ b/other/b-d/check-serviceaccount/kyverno-test.yaml @@ -1,17 +1,19 @@ name: check-sa policies: - - check-serviceaccount.yaml +- check-serviceaccount.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: check-sa - rule: check-sa - resource: badpod01 - kind: Pod - result: fail - - policy: check-sa - rule: check-sa - resource: goodpod01 - kind: Pod - result: pass +- kind: Pod + policy: check-sa + resources: + - badpod01 + result: fail + rule: check-sa +- kind: Pod + policy: check-sa + resources: + - goodpod01 + result: pass + rule: check-sa +variables: values.yaml diff --git a/other/b-d/create-default-pdb/kyverno-test.yaml b/other/b-d/create-default-pdb/kyverno-test.yaml index 25e4d115e..eb365c08e 100644 --- a/other/b-d/create-default-pdb/kyverno-test.yaml +++ b/other/b-d/create-default-pdb/kyverno-test.yaml @@ -1,13 +1,14 @@ name: pdb-test policies: - - create-default-pdb.yaml +- create-default-pdb.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: create-default-pdb - rule: create-default-pdb - resource: nginx-deployment - generatedResource: generatedResource.yaml - kind: Deployment - result: pass - namespace: hello-world \ No newline at end of file +- generatedResource: generatedResource.yaml + kind: Deployment + namespace: hello-world + policy: create-default-pdb + resources: + - nginx-deployment + result: pass + rule: create-default-pdb diff --git a/other/b-d/disable-automountserviceaccounttoken/kyverno-test.yaml b/other/b-d/disable-automountserviceaccounttoken/kyverno-test.yaml index 6af2e0383..d01b7ab24 100644 --- a/other/b-d/disable-automountserviceaccounttoken/kyverno-test.yaml +++ b/other/b-d/disable-automountserviceaccounttoken/kyverno-test.yaml @@ -1,18 +1,13 @@ name: disable-automountserviceaccounttoken policies: - - disable-automountserviceaccounttoken.yaml +- disable-automountserviceaccounttoken.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: disable-automountserviceaccounttoken - rule: disable-automountserviceaccounttoken - resource: default - patchedResource: patchedResource.yaml - kind: ServiceAccount - result: pass - # - policy: disable-automountserviceaccounttoken - # rule: disable-automountserviceaccounttoken - # resource: demo-sa - # kind: ServiceAccount - # result: skip - +- kind: ServiceAccount + patchedResource: patchedResource.yaml + policy: disable-automountserviceaccounttoken + resources: + - default + result: pass + rule: disable-automountserviceaccounttoken diff --git a/other/b-d/disallow-all-secrets/kyverno-test.yaml b/other/b-d/disallow-all-secrets/kyverno-test.yaml index e9194abc7..b4db2b25e 100644 --- a/other/b-d/disallow-all-secrets/kyverno-test.yaml +++ b/other/b-d/disallow-all-secrets/kyverno-test.yaml @@ -1,67 +1,69 @@ name: no-secrets policies: - - disallow-all-secrets.yaml +- disallow-all-secrets.yaml resources: - - resource.yaml +- resource.yaml results: -# testing secret-env-pod pod resource against all three rules - - policy: no-secrets - rule: secrets-not-from-env - resource: secret-env-pod - kind: Pod - namespace: default - result: fail - - policy: no-secrets - rule: secrets-not-from-envfrom - resource: secret-env-pod - kind: Pod - namespace: default - result: pass - - policy: no-secrets - rule: secrets-not-from-volumes - resource: secret-env-pod - kind: Pod - namespace: default - result: pass - - # testing secret-ref-pod pod resource against all three rules - - - policy: no-secrets - rule: secrets-not-from-env - resource: secret-ref-pod - kind: Pod - namespace: default - result: pass - - policy: no-secrets - rule: secrets-not-from-envfrom - resource: secret-ref-pod - kind: Pod - namespace: default - result: fail - - policy: no-secrets - rule: secrets-not-from-volumes - resource: secret-ref-pod - kind: Pod - namespace: default - result: pass - -# testing secret-vol-pod pod resource against all three rules - - policy: no-secrets - rule: secrets-not-from-env - resource: secret-vol-pod - kind: Pod - namespace: default - result: pass - - policy: no-secrets - rule: secrets-not-from-envfrom - resource: secret-vol-pod - kind: Pod - namespace: default - result: pass - - policy: no-secrets - rule: secrets-not-from-volumes - resource: secret-vol-pod - kind: Pod - namespace: default - result: fail - \ No newline at end of file +- kind: Pod + namespace: default + policy: no-secrets + resources: + - secret-env-pod + result: fail + rule: secrets-not-from-env +- kind: Pod + namespace: default + policy: no-secrets + resources: + - secret-env-pod + result: pass + rule: secrets-not-from-envfrom +- kind: Pod + namespace: default + policy: no-secrets + resources: + - secret-env-pod + result: pass + rule: secrets-not-from-volumes +- kind: Pod + namespace: default + policy: no-secrets + resources: + - secret-ref-pod + result: pass + rule: secrets-not-from-env +- kind: Pod + namespace: default + policy: no-secrets + resources: + - secret-ref-pod + result: fail + rule: secrets-not-from-envfrom +- kind: Pod + namespace: default + policy: no-secrets + resources: + - secret-ref-pod + result: pass + rule: secrets-not-from-volumes +- kind: Pod + namespace: default + policy: no-secrets + resources: + - secret-vol-pod + result: pass + rule: secrets-not-from-env +- kind: Pod + namespace: default + policy: no-secrets + resources: + - secret-vol-pod + result: pass + rule: secrets-not-from-envfrom +- kind: Pod + namespace: default + policy: no-secrets + resources: + - secret-vol-pod + result: fail + rule: secrets-not-from-volumes diff --git a/other/b-d/disallow-localhost-services/kyverno-test.yaml b/other/b-d/disallow-localhost-services/kyverno-test.yaml index 9f332079d..7c68442c9 100644 --- a/other/b-d/disallow-localhost-services/kyverno-test.yaml +++ b/other/b-d/disallow-localhost-services/kyverno-test.yaml @@ -1,16 +1,18 @@ name: no-localhost-service policies: - - disallow-localhost-services.yaml +- disallow-localhost-services.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: no-localhost-service - rule: no-localhost-service - resource: my-service - kind: Service - result: fail - - policy: no-localhost-service - rule: no-localhost-service - resource: my-np-service - kind: Service - result: skip +- kind: Service + policy: no-localhost-service + resources: + - my-service + result: fail + rule: no-localhost-service +- kind: Service + policy: no-localhost-service + resources: + - my-np-service + result: skip + rule: no-localhost-service diff --git a/other/b-d/disallow-secrets-from-env-vars/kyverno-test.yaml b/other/b-d/disallow-secrets-from-env-vars/kyverno-test.yaml index d6c297cc2..ce86a12ad 100644 --- a/other/b-d/disallow-secrets-from-env-vars/kyverno-test.yaml +++ b/other/b-d/disallow-secrets-from-env-vars/kyverno-test.yaml @@ -1,31 +1,34 @@ name: secrets-not-from-env-vars policies: - - disallow-secrets-from-env-vars.yaml +- disallow-secrets-from-env-vars.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: secrets-not-from-env-vars - rule: secrets-not-from-env-vars - resource: secret-env-pod - kind: Pod - namespace: default - result: fail - - policy: secrets-not-from-env-vars - rule: secrets-not-from-envfrom - resource: secret-env-pod - kind: Pod - namespace: default - result: pass - - policy: secrets-not-from-env-vars - rule: secrets-not-from-envfrom - resource: secret-ref-pod - kind: Pod - namespace: default - result: fail - - policy: secrets-not-from-env-vars - rule: secrets-not-from-env-vars - resource: secret-ref-pod - kind: Pod - namespace: default - result: pass - \ No newline at end of file +- kind: Pod + namespace: default + policy: secrets-not-from-env-vars + resources: + - secret-env-pod + result: fail + rule: secrets-not-from-env-vars +- kind: Pod + namespace: default + policy: secrets-not-from-env-vars + resources: + - secret-env-pod + result: pass + rule: secrets-not-from-envfrom +- kind: Pod + namespace: default + policy: secrets-not-from-env-vars + resources: + - secret-ref-pod + result: fail + rule: secrets-not-from-envfrom +- kind: Pod + namespace: default + policy: secrets-not-from-env-vars + resources: + - secret-ref-pod + result: pass + rule: secrets-not-from-env-vars diff --git a/other/b-d/dns-policy-and-dns-config/kyverno-test.yaml b/other/b-d/dns-policy-and-dns-config/kyverno-test.yaml index 9a285f863..2a9af3bbd 100644 --- a/other/b-d/dns-policy-and-dns-config/kyverno-test.yaml +++ b/other/b-d/dns-policy-and-dns-config/kyverno-test.yaml @@ -1,14 +1,15 @@ name: change-dns-config-policy policies: - - dns-policy-and-dns-config.yaml +- dns-policy-and-dns-config.yaml resources: - - resource.yaml -variables: variables.yaml +- resource.yaml results: - - policy: change-dns-config-policy - rule: dns-policy - resource: myapp-pod - patchedResource: patchedResource.yaml - kind: Pod - namespace: default - result: pass \ No newline at end of file +- kind: Pod + namespace: default + patchedResource: patchedResource.yaml + policy: change-dns-config-policy + resources: + - myapp-pod + result: pass + rule: dns-policy +variables: variables.yaml diff --git a/other/e-l/enforce-pod-duration/kyverno-test.yaml b/other/e-l/enforce-pod-duration/kyverno-test.yaml index 6cd4618d1..651b6a099 100644 --- a/other/e-l/enforce-pod-duration/kyverno-test.yaml +++ b/other/e-l/enforce-pod-duration/kyverno-test.yaml @@ -1,17 +1,18 @@ ---- name: pod-lifetime policies: - - enforce-pod-duration.yaml +- enforce-pod-duration.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: pod-lifetime - rule: pods-lifetime - resource: test-lifetime-pass - kind: Pod - result: pass - - policy: pod-lifetime - rule: pods-lifetime - resource: test-lifetime-fail - kind: Pod - result: fail +- kind: Pod + policy: pod-lifetime + resources: + - test-lifetime-pass + result: pass + rule: pods-lifetime +- kind: Pod + policy: pod-lifetime + resources: + - test-lifetime-fail + result: fail + rule: pods-lifetime diff --git a/other/e-l/enforce-resources-as-ratio/kyverno-test.yaml b/other/e-l/enforce-resources-as-ratio/kyverno-test.yaml index 38c519f99..e9bad01e7 100644 --- a/other/e-l/enforce-resources-as-ratio/kyverno-test.yaml +++ b/other/e-l/enforce-resources-as-ratio/kyverno-test.yaml @@ -1,18 +1,19 @@ name: enforce-resources-as-ratio policies: - - enforce-resources-as-ratio.yaml +- enforce-resources-as-ratio.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: enforce-resources-as-ratio - rule: check-memory-requests-limits - resource: badpod - kind: Pod - result: fail - - policy: enforce-resources-as-ratio - rule: check-memory-requests-limits - resource: goodpod - kind: Pod - result: pass - \ No newline at end of file +- kind: Pod + policy: enforce-resources-as-ratio + resources: + - badpod + result: fail + rule: check-memory-requests-limits +- kind: Pod + policy: enforce-resources-as-ratio + resources: + - goodpod + result: pass + rule: check-memory-requests-limits +variables: values.yaml diff --git a/other/e-l/ensure-probes-different/kyverno-test.yaml b/other/e-l/ensure-probes-different/kyverno-test.yaml index caacf0cc9..eea635dcd 100644 --- a/other/e-l/ensure-probes-different/kyverno-test.yaml +++ b/other/e-l/ensure-probes-different/kyverno-test.yaml @@ -1,16 +1,18 @@ name: validate-probes policies: - - ensure-probes-different.yaml +- ensure-probes-different.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: validate-probes - rule: validate-probes - resource: mydeploy-1 - kind: Deployment - result: pass - - policy: validate-probes - rule: validate-probes - resource: mydeploy-2 - kind: Deployment - result: fail +- kind: Deployment + policy: validate-probes + resources: + - mydeploy-1 + result: pass + rule: validate-probes +- kind: Deployment + policy: validate-probes + resources: + - mydeploy-2 + result: fail + rule: validate-probes diff --git a/other/e-l/ensure-readonly-hostpath/kyverno-test.yaml b/other/e-l/ensure-readonly-hostpath/kyverno-test.yaml index 968200ba4..a0ad447c2 100644 --- a/other/e-l/ensure-readonly-hostpath/kyverno-test.yaml +++ b/other/e-l/ensure-readonly-hostpath/kyverno-test.yaml @@ -1,19 +1,20 @@ name: ensure-readonly-hostpath policies: - - ensure-readonly-hostpath.yaml +- ensure-readonly-hostpath.yaml resources: - - good-pod-01.yaml - - bad-pod-01.yaml -variables: values.yaml +- good-pod-01.yaml +- bad-pod-01.yaml results: - - policy: ensure-readonly-hostpath - rule: ensure-hostpaths-readonly - resource: bad-pod-01 - kind: Pod - result: fail - - policy: ensure-readonly-hostpath - rule: ensure-hostpaths-readonly - resource: good-pod-01 - kind: Pod - result: pass - \ No newline at end of file +- kind: Pod + policy: ensure-readonly-hostpath + resources: + - bad-pod-01 + result: fail + rule: ensure-hostpaths-readonly +- kind: Pod + policy: ensure-readonly-hostpath + resources: + - good-pod-01 + result: pass + rule: ensure-hostpaths-readonly +variables: values.yaml diff --git a/other/e-l/exclude-namespaces-dynamically/kyverno-test.yaml b/other/e-l/exclude-namespaces-dynamically/kyverno-test.yaml index 1fdfd6962..cb74fb6b7 100644 --- a/other/e-l/exclude-namespaces-dynamically/kyverno-test.yaml +++ b/other/e-l/exclude-namespaces-dynamically/kyverno-test.yaml @@ -1,33 +1,31 @@ name: exclude-namespaces-example policies: - - exclude-namespaces-dynamically.yaml +- exclude-namespaces-dynamically.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: exclude-namespaces-example - rule: exclude-namespaces-dynamically-pods - resource: good-pod01 - kind: Pod - result: skip - - - policy: exclude-namespaces-example - rule: exclude-namespaces-dynamically-pods - resource: good-pod02 - kind: Pod - result: skip - - - policy: exclude-namespaces-example - rule: exclude-namespaces-dynamically-pods - resource: good-pod03 - kind: Pod - result: pass - - - policy: exclude-namespaces-example - rule: exclude-namespaces-dynamically-pods - resource: bad-pod01 - kind: Pod - result: fail - - - \ No newline at end of file +- kind: Pod + policy: exclude-namespaces-example + resources: + - good-pod01 + result: skip + rule: exclude-namespaces-dynamically-pods +- kind: Pod + policy: exclude-namespaces-example + resources: + - good-pod02 + result: skip + rule: exclude-namespaces-dynamically-pods +- kind: Pod + policy: exclude-namespaces-example + resources: + - good-pod03 + result: pass + rule: exclude-namespaces-dynamically-pods +- kind: Pod + policy: exclude-namespaces-example + resources: + - bad-pod01 + result: fail + rule: exclude-namespaces-dynamically-pods +variables: values.yaml diff --git a/other/e-l/imagepullpolicy-always/kyverno-test.yaml b/other/e-l/imagepullpolicy-always/kyverno-test.yaml index 46a0d8af6..8ec24517d 100644 --- a/other/e-l/imagepullpolicy-always/kyverno-test.yaml +++ b/other/e-l/imagepullpolicy-always/kyverno-test.yaml @@ -1,26 +1,30 @@ name: imagepullpolicy-always policies: - - imagepullpolicy-always.yaml +- imagepullpolicy-always.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: imagepullpolicy-always - rule: imagepullpolicy-always - resource: myapp-pod-1 - kind: Pod - result: pass - - policy: imagepullpolicy-always - rule: imagepullpolicy-always - resource: myapp-pod-2 - kind: Pod - result: fail - - policy: imagepullpolicy-always - rule: imagepullpolicy-always - resource: mydeploy1 - kind: Deployment - result: fail - - policy: imagepullpolicy-always - rule: imagepullpolicy-always - resource: mydeploy2 - kind: Deployment - result: pass \ No newline at end of file +- kind: Pod + policy: imagepullpolicy-always + resources: + - myapp-pod-1 + result: pass + rule: imagepullpolicy-always +- kind: Pod + policy: imagepullpolicy-always + resources: + - myapp-pod-2 + result: fail + rule: imagepullpolicy-always +- kind: Deployment + policy: imagepullpolicy-always + resources: + - mydeploy1 + result: fail + rule: imagepullpolicy-always +- kind: Deployment + policy: imagepullpolicy-always + resources: + - mydeploy2 + result: pass + rule: imagepullpolicy-always diff --git a/other/e-l/ingress-host-match-tls/kyverno-test.yaml b/other/e-l/ingress-host-match-tls/kyverno-test.yaml index 55b74ea9a..b753f155f 100644 --- a/other/e-l/ingress-host-match-tls/kyverno-test.yaml +++ b/other/e-l/ingress-host-match-tls/kyverno-test.yaml @@ -1,36 +1,42 @@ name: ingress-host-match-tls policies: - - ingress-host-match-tls.yaml +- ingress-host-match-tls.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: ingress-host-match-tls - rule: host-match-tls - resource: badingress01 - result: fail - kind: Ingress - - policy: ingress-host-match-tls - rule: host-match-tls - resource: badingress02 - result: fail - kind: Ingress - - policy: ingress-host-match-tls - rule: host-match-tls - resource: goodingress01 - result: pass - kind: Ingress - - policy: ingress-host-match-tls - rule: host-match-tls - resource: goodingress02 - result: pass - kind: Ingress - - policy: ingress-host-match-tls - rule: host-match-tls - resource: goodingress03 - result: pass - kind: Ingress - - policy: ingress-host-match-tls - rule: host-match-tls - resource: goodingress04 - result: pass - kind: Ingress +- kind: Ingress + policy: ingress-host-match-tls + resources: + - badingress01 + result: fail + rule: host-match-tls +- kind: Ingress + policy: ingress-host-match-tls + resources: + - badingress02 + result: fail + rule: host-match-tls +- kind: Ingress + policy: ingress-host-match-tls + resources: + - goodingress01 + result: pass + rule: host-match-tls +- kind: Ingress + policy: ingress-host-match-tls + resources: + - goodingress02 + result: pass + rule: host-match-tls +- kind: Ingress + policy: ingress-host-match-tls + resources: + - goodingress03 + result: pass + rule: host-match-tls +- kind: Ingress + policy: ingress-host-match-tls + resources: + - goodingress04 + result: pass + rule: host-match-tls diff --git a/other/e-l/inject-sidecar-deployment/kyverno-test.yaml b/other/e-l/inject-sidecar-deployment/kyverno-test.yaml index 69a18fc73..da0e4a5f7 100644 --- a/other/e-l/inject-sidecar-deployment/kyverno-test.yaml +++ b/other/e-l/inject-sidecar-deployment/kyverno-test.yaml @@ -1,18 +1,20 @@ name: inject-sidecar policies: - - inject-sidecar-deployment.yaml +- inject-sidecar-deployment.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: inject-sidecar - rule: inject-sidecar - resource: mydeploy-1 - patchedResource: patchedResource1.yaml - kind: Deployment - result: pass - - policy: inject-sidecar - rule: inject-sidecar - resource: mydeploy-2 - patchedResource: patchedResource2.yaml - kind: Deployment - result: skip \ No newline at end of file +- kind: Deployment + patchedResource: patchedResource1.yaml + policy: inject-sidecar + resources: + - mydeploy-1 + result: pass + rule: inject-sidecar +- kind: Deployment + patchedResource: patchedResource2.yaml + policy: inject-sidecar + resources: + - mydeploy-2 + result: skip + rule: inject-sidecar diff --git a/other/e-l/limit-configmap-for-sa/kyverno-test.yaml b/other/e-l/limit-configmap-for-sa/kyverno-test.yaml index 5f3313d59..9f4cb8a19 100644 --- a/other/e-l/limit-configmap-for-sa/kyverno-test.yaml +++ b/other/e-l/limit-configmap-for-sa/kyverno-test.yaml @@ -1,17 +1,19 @@ name: limit-configmap-for-sa policies: - - limit-configmap-for-sa.yaml +- limit-configmap-for-sa.yaml resources: - - resource.yaml -variables: variables.yaml +- resource.yaml results: - - policy: limit-configmap-for-sa - rule: limit-configmap-for-sa-developer - resource: any-configmap-name-good - kind: ConfigMap - result: fail - - policy: limit-configmap-for-sa - rule: limit-configmap-for-sa-developer - resource: any-configmap-name-bad - kind: ConfigMap - result: skip +- kind: ConfigMap + policy: limit-configmap-for-sa + resources: + - any-configmap-name-good + result: fail + rule: limit-configmap-for-sa-developer +- kind: ConfigMap + policy: limit-configmap-for-sa + resources: + - any-configmap-name-bad + result: skip + rule: limit-configmap-for-sa-developer +variables: variables.yaml diff --git a/other/e-l/limit-containers-per-pod/kyverno-test.yaml b/other/e-l/limit-containers-per-pod/kyverno-test.yaml index 003c2dac1..e13a9507b 100644 --- a/other/e-l/limit-containers-per-pod/kyverno-test.yaml +++ b/other/e-l/limit-containers-per-pod/kyverno-test.yaml @@ -1,26 +1,30 @@ name: limit-containers-per-pod policies: - - limit-containers-per-pod.yaml +- limit-containers-per-pod.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: limit-containers-per-pod - rule: limit-containers-per-pod - resource: myapp-pod-1 - kind: Pod - result: pass - - policy: limit-containers-per-pod - rule: limit-containers-per-pod - resource: myapp-pod-2 - kind: Pod - result: fail - - policy: limit-containers-per-pod - rule: autogen-limit-containers-per-pod - resource: mydeploy - kind: Deployment - result: pass - - policy: limit-containers-per-pod - rule: autogen-cronjob-limit-containers-per-pod - resource: mycronjob - kind: CronJob - result: fail \ No newline at end of file +- kind: Pod + policy: limit-containers-per-pod + resources: + - myapp-pod-1 + result: pass + rule: limit-containers-per-pod +- kind: Pod + policy: limit-containers-per-pod + resources: + - myapp-pod-2 + result: fail + rule: limit-containers-per-pod +- kind: Deployment + policy: limit-containers-per-pod + resources: + - mydeploy + result: pass + rule: autogen-limit-containers-per-pod +- kind: CronJob + policy: limit-containers-per-pod + resources: + - mycronjob + result: fail + rule: autogen-cronjob-limit-containers-per-pod diff --git a/other/e-l/limit-hostpath-type-pv/kyverno-test.yaml b/other/e-l/limit-hostpath-type-pv/kyverno-test.yaml index 5672d555e..c54988b74 100644 --- a/other/e-l/limit-hostpath-type-pv/kyverno-test.yaml +++ b/other/e-l/limit-hostpath-type-pv/kyverno-test.yaml @@ -1,16 +1,18 @@ name: limit-hostpath-type-pv policies: - - limit-hostpath-type-pv.yaml +- limit-hostpath-type-pv.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: limit-hostpath-type-pv - rule: limit-hostpath-type-pv-to-slash-data - resource: good-pv - kind: PersistentVolume - result: pass - - policy: limit-hostpath-type-pv - rule: limit-hostpath-type-pv-to-slash-data - resource: bad-pv - kind: PersistentVolume - result: fail +- kind: PersistentVolume + policy: limit-hostpath-type-pv + resources: + - good-pv + result: pass + rule: limit-hostpath-type-pv-to-slash-data +- kind: PersistentVolume + policy: limit-hostpath-type-pv + resources: + - bad-pv + result: fail + rule: limit-hostpath-type-pv-to-slash-data diff --git a/other/e-l/limit-hostpath-vols/kyverno-test.yaml b/other/e-l/limit-hostpath-vols/kyverno-test.yaml index 61cdad405..907e94133 100644 --- a/other/e-l/limit-hostpath-vols/kyverno-test.yaml +++ b/other/e-l/limit-hostpath-vols/kyverno-test.yaml @@ -1,18 +1,20 @@ name: limit-hostpath-vols policies: - - limit-hostpath-vols.yaml +- limit-hostpath-vols.yaml resources: - - goodpod.yaml - - badpod.yaml -variables: values.yaml +- goodpod.yaml +- badpod.yaml results: - - policy: limit-hostpath-vols - rule: limit-hostpath-to-slash-data - resource: good-pods-all - kind: Pod - result: pass - - policy: limit-hostpath-vols - rule: limit-hostpath-to-slash-data - resource: bad-pods-all - kind: Pod - result: fail +- kind: Pod + policy: limit-hostpath-vols + resources: + - good-pods-all + result: pass + rule: limit-hostpath-to-slash-data +- kind: Pod + policy: limit-hostpath-vols + resources: + - bad-pods-all + result: fail + rule: limit-hostpath-to-slash-data +variables: values.yaml diff --git a/other/m-q/memory-requests-equal-limits/kyverno-test.yaml b/other/m-q/memory-requests-equal-limits/kyverno-test.yaml index 4e0600547..e5ed98a0a 100644 --- a/other/m-q/memory-requests-equal-limits/kyverno-test.yaml +++ b/other/m-q/memory-requests-equal-limits/kyverno-test.yaml @@ -1,21 +1,24 @@ name: memory-requests-equal-limits policies: - - memory-requests-equal-limits.yaml +- memory-requests-equal-limits.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: memory-requests-equal-limits - rule: autogen-memory-requests-equal-limits - resource: fluentd-elasticsearch - kind: DaemonSet - status: pass - - policy: memory-requests-equal-limits - rule: memory-requests-equal-limits - resource: myapp-pod - kind: Pod - status: fail - - policy: memory-requests-equal-limits - rule: autogen-cronjob-memory-requests-equal-limits - resource: hello - kind: CronJob - status: pass \ No newline at end of file +- kind: DaemonSet + policy: memory-requests-equal-limits + resources: + - fluentd-elasticsearch + result: pass + rule: autogen-memory-requests-equal-limits +- kind: Pod + policy: memory-requests-equal-limits + resources: + - myapp-pod + result: fail + rule: memory-requests-equal-limits +- kind: CronJob + policy: memory-requests-equal-limits + resources: + - hello + result: pass + rule: autogen-cronjob-memory-requests-equal-limits diff --git a/other/m-q/mitigate-log4shell/kyverno-test.yaml b/other/m-q/mitigate-log4shell/kyverno-test.yaml index 00fc29813..d18be6f7f 100644 --- a/other/m-q/mitigate-log4shell/kyverno-test.yaml +++ b/other/m-q/mitigate-log4shell/kyverno-test.yaml @@ -1,34 +1,34 @@ name: log4shell-mitigation policies: - - mitigate-log4shell.yaml +- mitigate-log4shell.yaml resources: - - resource.yaml +- resource.yaml results: -# checking demo-pod01 pod resource on both rules - - policy: log4shell-mitigation - rule: add-log4shell-mitigation-initcontainers - resource: demo-pod01 - patchedResource: patchedResource.yaml - kind: Pod - result: pass - - policy: log4shell-mitigation - rule: add-log4shell-mitigation-containers - resource: demo-pod01 - patchedResource: patchedResource.yaml - kind: Pod - result: pass - -# checking demo-pod02 pod resource on both rules - - policy: log4shell-mitigation - rule: add-log4shell-mitigation-containers - resource: demo-pod02 - patchedResource: patchedResource1.yaml - kind: Pod - result: pass - - policy: log4shell-mitigation - rule: add-log4shell-mitigation-initcontainers - resource: demo-pod02 - patchedResource: patchedResource1.yaml - kind: Pod - result: skip - \ No newline at end of file +- kind: Pod + patchedResource: patchedResource.yaml + policy: log4shell-mitigation + resources: + - demo-pod01 + result: pass + rule: add-log4shell-mitigation-initcontainers +- kind: Pod + patchedResource: patchedResource.yaml + policy: log4shell-mitigation + resources: + - demo-pod01 + result: pass + rule: add-log4shell-mitigation-containers +- kind: Pod + patchedResource: patchedResource1.yaml + policy: log4shell-mitigation + resources: + - demo-pod02 + result: pass + rule: add-log4shell-mitigation-containers +- kind: Pod + patchedResource: patchedResource1.yaml + policy: log4shell-mitigation + resources: + - demo-pod02 + result: skip + rule: add-log4shell-mitigation-initcontainers diff --git a/other/m-q/mutate-large-termination-gps/kyverno-test.yaml b/other/m-q/mutate-large-termination-gps/kyverno-test.yaml index 872bedccf..263d7ee33 100644 --- a/other/m-q/mutate-large-termination-gps/kyverno-test.yaml +++ b/other/m-q/mutate-large-termination-gps/kyverno-test.yaml @@ -1,19 +1,20 @@ name: mutate-termination-grace-period-seconds policies: - - mutate-large-termination-gps.yaml +- mutate-large-termination-gps.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: mutate-termination-grace-period-seconds - rule: mutate-termination-grace-period-seconds - resource: demo-pod01 - patchedResource: patchedResource1.yaml - kind: Pod - result: pass - - policy: mutate-termination-grace-period-seconds - rule: mutate-termination-grace-period-seconds - resource: demo-pod02 - patchedResource: patchedResource2.yaml - kind: Pod - result: skip - \ No newline at end of file +- kind: Pod + patchedResource: patchedResource1.yaml + policy: mutate-termination-grace-period-seconds + resources: + - demo-pod01 + result: pass + rule: mutate-termination-grace-period-seconds +- kind: Pod + patchedResource: patchedResource2.yaml + policy: mutate-termination-grace-period-seconds + resources: + - demo-pod02 + result: skip + rule: mutate-termination-grace-period-seconds diff --git a/other/m-q/nfs-subdir-external-provisioner-storage-path/kyverno-test.yaml b/other/m-q/nfs-subdir-external-provisioner-storage-path/kyverno-test.yaml index 1e6265ac8..65368c762 100644 --- a/other/m-q/nfs-subdir-external-provisioner-storage-path/kyverno-test.yaml +++ b/other/m-q/nfs-subdir-external-provisioner-storage-path/kyverno-test.yaml @@ -1,23 +1,18 @@ name: nfs-subdir-external-provisioner-storage-path policies: - - nfs-subdir-external-provisioner-storage-path.yaml +- nfs-subdir-external-provisioner-storage-path.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: nfs-subdir-external-provisioner-storage-path - rule: enforce-storage-path - resource: goodclaim - kind: PersistentVolumeClaim - result: pass - - policy: nfs-subdir-external-provisioner-storage-path - rule: enforce-storage-path - resource: badclaim - kind: PersistentVolumeClaim - result: fail - # The last test is found to be flaky on CLI v1.6.2. Commenting out - # until resolved. - # - policy: nfs-subdir-external-provisioner-storage-path - # rule: enforce-storage-path - # resource: skipclaim - # kind: PersistentVolumeClaim - # result: skip \ No newline at end of file +- kind: PersistentVolumeClaim + policy: nfs-subdir-external-provisioner-storage-path + resources: + - goodclaim + result: pass + rule: enforce-storage-path +- kind: PersistentVolumeClaim + policy: nfs-subdir-external-provisioner-storage-path + resources: + - badclaim + result: fail + rule: enforce-storage-path diff --git a/other/m-q/only-trustworthy-registries-set-root/kyverno-test.yaml b/other/m-q/only-trustworthy-registries-set-root/kyverno-test.yaml index 58f5789ce..029ad326a 100644 --- a/other/m-q/only-trustworthy-registries-set-root/kyverno-test.yaml +++ b/other/m-q/only-trustworthy-registries-set-root/kyverno-test.yaml @@ -1,19 +1,20 @@ name: only-trustworthy-registries-set-root policies: - - only-trustworthy-registries-set-root.yaml +- only-trustworthy-registries-set-root.yaml resources: - - good.yaml - - bad.yaml -variables: values.yaml +- good.yaml +- bad.yaml results: - - policy: only-trustworthy-registries-set-root - rule: only-allow-trusted-images - resource: pod-with-trusted-registry - kind: Pod - result: pass - - - policy: only-trustworthy-registries-set-root - rule: only-allow-trusted-images - resource: pod-with-root-user - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: only-trustworthy-registries-set-root + resources: + - pod-with-trusted-registry + result: pass + rule: only-allow-trusted-images +- kind: Pod + policy: only-trustworthy-registries-set-root + resources: + - pod-with-root-user + result: pass + rule: only-allow-trusted-images +variables: values.yaml diff --git a/other/m-q/pdb-maxunavailable/kyverno-test.yaml b/other/m-q/pdb-maxunavailable/kyverno-test.yaml index 54cc0c062..7b879b075 100644 --- a/other/m-q/pdb-maxunavailable/kyverno-test.yaml +++ b/other/m-q/pdb-maxunavailable/kyverno-test.yaml @@ -1,36 +1,34 @@ name: pdb-maxunavailable - policies: - pdb-maxunavailable.yaml - resources: - resource.yaml - results: -- policy: pdb-maxunavailable - rule: pdb-maxunavailable - resource: good-pdb +- kind: PodDisruptionBudget namespace: kube-system - kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - good-pdb result: pass - -- policy: pdb-maxunavailable rule: pdb-maxunavailable - resource: good-pdb-none +- kind: PodDisruptionBudget namespace: kube-system - kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - good-pdb-none result: pass - -- policy: pdb-maxunavailable rule: pdb-maxunavailable - resource: bad-pdb-zero +- kind: PodDisruptionBudget namespace: kube-system - kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - bad-pdb-zero result: fail - -- policy: pdb-maxunavailable rule: pdb-maxunavailable - resource: bad-pdb-negative-one +- kind: PodDisruptionBudget namespace: kube-system - kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - bad-pdb-negative-one result: fail + rule: pdb-maxunavailable diff --git a/other/m-q/pdb-minavailable/kyverno-test.yaml b/other/m-q/pdb-minavailable/kyverno-test.yaml index 3bf25c336..fee4b73ed 100644 --- a/other/m-q/pdb-minavailable/kyverno-test.yaml +++ b/other/m-q/pdb-minavailable/kyverno-test.yaml @@ -1,24 +1,21 @@ name: pdb-minavailable-check - policies: - pdb-minavailable.yaml - resources: - resource.yaml - -variables: values.yaml - results: -- policy: pdb-minavailable-check - rule: pdb-minavailable - resource: bad-pdb +- kind: StatefulSet namespace: nginx - kind: StatefulSet + policy: pdb-minavailable-check + resources: + - bad-pdb result: fail - -- policy: pdb-minavailable-check rule: pdb-minavailable - resource: good-pdb +- kind: StatefulSet namespace: nginx - kind: StatefulSet + policy: pdb-minavailable-check + resources: + - good-pdb result: pass + rule: pdb-minavailable +variables: values.yaml diff --git a/other/m-q/prepend-image-registry/kyverno-test.yaml b/other/m-q/prepend-image-registry/kyverno-test.yaml index a3c9daf71..4e77f2ace 100644 --- a/other/m-q/prepend-image-registry/kyverno-test.yaml +++ b/other/m-q/prepend-image-registry/kyverno-test.yaml @@ -1,40 +1,43 @@ name: prepend-image-registry policies: - - prepend-image-registry.yaml +- prepend-image-registry.yaml resources: - - resource.yaml - - resourceFailed.yaml - - withoutinitcontainer.yaml +- resource.yaml +- resourceFailed.yaml +- withoutinitcontainer.yaml results: - - policy: prepend-registry - rule: prepend-registry-containers - resource: mypod - patchedResource: patchedResource.yaml - kind: Pod - result: pass - - policy: prepend-registry - rule: prepend-registry-initcontainers - resource: mypod - patchedResource: patchedResource.yaml - kind: Pod - result: pass - - policy: prepend-registry - rule: prepend-registry-containers - resource: myfailedpod - patchedResource: failpatchedResource.yaml - kind: Pod - result: fail - - policy: prepend-registry - rule: prepend-registry-initcontainers - resource: myfailedpod - patchedResource: failpatchedResource.yaml - kind: Pod - result: fail - - policy: prepend-registry - rule: prepend-registry-containers - resource: withoutinitcontainer - patchedResource: patchedResourceWithoutInitContainer.yaml - kind: Pod - result: fail - - \ No newline at end of file +- kind: Pod + patchedResource: patchedResource.yaml + policy: prepend-registry + resources: + - mypod + result: pass + rule: prepend-registry-containers +- kind: Pod + patchedResource: patchedResource.yaml + policy: prepend-registry + resources: + - mypod + result: pass + rule: prepend-registry-initcontainers +- kind: Pod + patchedResource: failpatchedResource.yaml + policy: prepend-registry + resources: + - myfailedpod + result: fail + rule: prepend-registry-containers +- kind: Pod + patchedResource: failpatchedResource.yaml + policy: prepend-registry + resources: + - myfailedpod + result: fail + rule: prepend-registry-initcontainers +- kind: Pod + patchedResource: patchedResourceWithoutInitContainer.yaml + policy: prepend-registry + resources: + - withoutinitcontainer + result: fail + rule: prepend-registry-containers diff --git a/other/m-q/prevent-cr8escape/kyverno-test.yaml b/other/m-q/prevent-cr8escape/kyverno-test.yaml index 6a986c8df..6d23bc859 100644 --- a/other/m-q/prevent-cr8escape/kyverno-test.yaml +++ b/other/m-q/prevent-cr8escape/kyverno-test.yaml @@ -1,23 +1,24 @@ name: restrict- policies: - - prevent-cr8escape.yaml +- prevent-cr8escape.yaml resources: - - resources.yaml +- resources.yaml results: -###### Pods - Bad - - policy: prevent-cr8escape - rule: restrict-sysctls-cr8escape - resource: badpod01 - kind: Pod - result: fail -###### Pods - Good - - policy: prevent-cr8escape - rule: restrict-sysctls-cr8escape - resource: pod-sysctl-good - kind: Pod - result: pass - - policy: prevent-cr8escape - rule: restrict-sysctls-cr8escape - resource: pod-no-sysctl - kind: Pod - result: pass +- kind: Pod + policy: prevent-cr8escape + resources: + - badpod01 + result: fail + rule: restrict-sysctls-cr8escape +- kind: Pod + policy: prevent-cr8escape + resources: + - pod-sysctl-good + result: pass + rule: restrict-sysctls-cr8escape +- kind: Pod + policy: prevent-cr8escape + resources: + - pod-no-sysctl + result: pass + rule: restrict-sysctls-cr8escape diff --git a/other/rec-req/remove-hostpath-volumes/kyverno-test.yaml b/other/rec-req/remove-hostpath-volumes/kyverno-test.yaml index 74a8aa934..d9527a6c3 100644 --- a/other/rec-req/remove-hostpath-volumes/kyverno-test.yaml +++ b/other/rec-req/remove-hostpath-volumes/kyverno-test.yaml @@ -1,12 +1,13 @@ name: remove-hostpath-volumes policies: - - remove-hostpath-volumes.yaml +- remove-hostpath-volumes.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: remove-hostpath-volumes - rule: remove-hostpath-all - resource: busybox - kind: Pod - patchedResource: patchedResource.yaml - result: pass \ No newline at end of file +- kind: Pod + patchedResource: patchedResource.yaml + policy: remove-hostpath-volumes + resources: + - busybox + result: pass + rule: remove-hostpath-all diff --git a/other/rec-req/remove-serviceaccount-token/kyverno-test.yaml b/other/rec-req/remove-serviceaccount-token/kyverno-test.yaml index 8458f7245..3716f645a 100644 --- a/other/rec-req/remove-serviceaccount-token/kyverno-test.yaml +++ b/other/rec-req/remove-serviceaccount-token/kyverno-test.yaml @@ -1,12 +1,13 @@ name: remove-serviceaccount-token policies: - - remove-serviceaccount-token.yaml +- remove-serviceaccount-token.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: remove-serviceaccount-token - rule: remove-vol-volmount - resource: busybox - kind: Pod - patchedResource: patchedResource.yaml - result: pass \ No newline at end of file +- kind: Pod + patchedResource: patchedResource.yaml + policy: remove-serviceaccount-token + resources: + - busybox + result: pass + rule: remove-vol-volmount diff --git a/other/rec-req/replace-image-registry/kyverno-test.yaml b/other/rec-req/replace-image-registry/kyverno-test.yaml index 92bb90701..11cfb7d6c 100644 --- a/other/rec-req/replace-image-registry/kyverno-test.yaml +++ b/other/rec-req/replace-image-registry/kyverno-test.yaml @@ -1,30 +1,34 @@ name: replace-image-registry policies: - - replace-image-registry.yaml +- replace-image-registry.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: replace-image-registry - rule: replace-image-registry-pod-containers - resource: myapp-pod1 - kind: Pod - patchedResource: patchedResource1.yaml - result: pass - - policy: replace-image-registry - rule: replace-image-registry-pod-initcontainers - resource: myapp-pod1 - kind: Pod - patchedResource: patchedResource1.yaml - result: skip - - policy: replace-image-registry - rule: replace-image-registry-pod-containers - resource: myapp-pod2 - kind: Pod - patchedResource: patchedResource3.yaml - result: pass - - policy: replace-image-registry - rule: replace-image-registry-pod-initcontainers - resource: myapp-pod2 - kind: Pod - patchedResource: patchedResource3.yaml - result: pass \ No newline at end of file +- kind: Pod + patchedResource: patchedResource1.yaml + policy: replace-image-registry + resources: + - myapp-pod1 + result: pass + rule: replace-image-registry-pod-containers +- kind: Pod + patchedResource: patchedResource1.yaml + policy: replace-image-registry + resources: + - myapp-pod1 + result: skip + rule: replace-image-registry-pod-initcontainers +- kind: Pod + patchedResource: patchedResource3.yaml + policy: replace-image-registry + resources: + - myapp-pod2 + result: pass + rule: replace-image-registry-pod-containers +- kind: Pod + patchedResource: patchedResource3.yaml + policy: replace-image-registry + resources: + - myapp-pod2 + result: pass + rule: replace-image-registry-pod-initcontainers diff --git a/other/rec-req/require-deployments-have-multiple-replicas/kyverno-test.yaml b/other/rec-req/require-deployments-have-multiple-replicas/kyverno-test.yaml index 4258ecfc4..cf5bcb91a 100644 --- a/other/rec-req/require-deployments-have-multiple-replicas/kyverno-test.yaml +++ b/other/rec-req/require-deployments-have-multiple-replicas/kyverno-test.yaml @@ -1,16 +1,12 @@ name: deployment-has-multiple-replicas policies: - - require-deployments-have-multiple-replicas.yaml +- require-deployments-have-multiple-replicas.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: deployment-has-multiple-replicas - rule: deployment-has-multiple-replicas - resource: mydeploy - kind: Deployment - result: pass - # - policy: deployment-has-multiple-replicas - # rule: deployment-has-multiple-replicas - # resource: myapp-pod - # kind: Pod - # result: skip \ No newline at end of file +- kind: Deployment + policy: deployment-has-multiple-replicas + resources: + - mydeploy + result: pass + rule: deployment-has-multiple-replicas diff --git a/other/rec-req/require-image-checksum/kyverno-test.yaml b/other/rec-req/require-image-checksum/kyverno-test.yaml index 7623e9940..1eddb24b9 100644 --- a/other/rec-req/require-image-checksum/kyverno-test.yaml +++ b/other/rec-req/require-image-checksum/kyverno-test.yaml @@ -1,26 +1,30 @@ name: require-image-checksum policies: - - require-image-checksum.yaml +- require-image-checksum.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-image-checksum - rule: require-image-checksum - resource: myapp-pod-1 - kind: Pod - result: pass - - policy: require-image-checksum - rule: require-image-checksum - resource: myapp-pod-2 - kind: Pod - result: fail - - policy: require-image-checksum - rule: require-image-checksum - resource: mydeploy - kind: Deployment - result: pass - - policy: require-image-checksum - rule: require-image-checksum - resource: hello - kind: CronJob - result: fail \ No newline at end of file +- kind: Pod + policy: require-image-checksum + resources: + - myapp-pod-1 + result: pass + rule: require-image-checksum +- kind: Pod + policy: require-image-checksum + resources: + - myapp-pod-2 + result: fail + rule: require-image-checksum +- kind: Deployment + policy: require-image-checksum + resources: + - mydeploy + result: pass + rule: require-image-checksum +- kind: CronJob + policy: require-image-checksum + resources: + - hello + result: fail + rule: require-image-checksum diff --git a/other/rec-req/require-image-source/kyverno-test.yaml b/other/rec-req/require-image-source/kyverno-test.yaml index c8fea9724..45e7cc276 100644 --- a/other/rec-req/require-image-source/kyverno-test.yaml +++ b/other/rec-req/require-image-source/kyverno-test.yaml @@ -1,15 +1,14 @@ name: require-image-source policies: - - require-image-source.yaml +- require-image-source.yaml resources: - - good.yaml - - bad.yaml +- good.yaml +- bad.yaml +results: +- kind: Pod + policy: require-image-source + resources: + - goodpod01 + result: pass + rule: check-source variables: values.yaml -results: - - policy: require-image-source - rule: check-source - resource: goodpod01 - kind: Pod - result: pass - - diff --git a/other/rec-req/require-imagepullsecrets/kyverno-test.yaml b/other/rec-req/require-imagepullsecrets/kyverno-test.yaml index 9cda1a8ba..ca70ec0e3 100644 --- a/other/rec-req/require-imagepullsecrets/kyverno-test.yaml +++ b/other/rec-req/require-imagepullsecrets/kyverno-test.yaml @@ -1,21 +1,24 @@ name: require-imagepullsecrets policies: - - require-imagepullsecrets.yaml +- require-imagepullsecrets.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-imagepullsecrets - rule: check-for-image-pull-secrets - resource: goodpod01 - kind: Pod - result: pass - - policy: require-imagepullsecrets - rule: check-for-image-pull-secrets - resource: badpod01 - kind: Pod - result: fail - - policy: require-imagepullsecrets - rule: check-for-image-pull-secrets - resource: skippod01 - kind: Pod - result: skip \ No newline at end of file +- kind: Pod + policy: require-imagepullsecrets + resources: + - goodpod01 + result: pass + rule: check-for-image-pull-secrets +- kind: Pod + policy: require-imagepullsecrets + resources: + - badpod01 + result: fail + rule: check-for-image-pull-secrets +- kind: Pod + policy: require-imagepullsecrets + resources: + - skippod01 + result: skip + rule: check-for-image-pull-secrets diff --git a/other/rec-req/require-netpol/kyverno-test.yaml b/other/rec-req/require-netpol/kyverno-test.yaml index 05dcedb0d..2dac57318 100644 --- a/other/rec-req/require-netpol/kyverno-test.yaml +++ b/other/rec-req/require-netpol/kyverno-test.yaml @@ -1,12 +1,13 @@ name: require-network-policy policies: - - require-netpol.yaml +- require-netpol.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: require-network-policy - rule: require-network-policy - resource: nginx-deploy - kind: Deployment - result: fail \ No newline at end of file +- kind: Deployment + policy: require-network-policy + resources: + - nginx-deploy + result: fail + rule: require-network-policy +variables: values.yaml diff --git a/other/rec-req/require-non-root-groups/kyverno-test.yaml b/other/rec-req/require-non-root-groups/kyverno-test.yaml index 62a03c812..f50f99676 100644 --- a/other/rec-req/require-non-root-groups/kyverno-test.yaml +++ b/other/rec-req/require-non-root-groups/kyverno-test.yaml @@ -1,528 +1,600 @@ name: require-non-root-groups policies: - - require-non-root-groups.yaml +- require-non-root-groups.yaml resources: - - resource.yaml +- resource.yaml results: -############################ -## Rule: check-runasgroup ## -############################ -###### Pods - Bad - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod01 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod02 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod03 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod04 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod05 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod06 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod07 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod08 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod09 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod10 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod11 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod12 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod13 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod14 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badpod15 - kind: Pod - result: fail -###### Pods - Good - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod01 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod02 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod03 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod04 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod05 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod06 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod07 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod08 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod09 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodpod10 - kind: Pod - result: pass -###### Deployments - Bad - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment01 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment02 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment03 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment04 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment05 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment06 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment07 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment08 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment09 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment10 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment11 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment12 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment13 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment14 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: baddeployment15 - kind: Deployment - result: fail -###### Deployments - Good - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment09 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: gooddeployment10 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob01 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob02 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob03 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob04 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob05 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob06 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob07 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob08 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob09 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob10 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob11 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob12 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob13 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob14 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-runasgroup - resource: badcronjob15 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob09 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-runasgroup - resource: goodcronjob10 - kind: CronJob - result: pass -#################################### -## Rule: check-supplementalgroups ## -#################################### -###### Pods - Bad - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-badpod01 - kind: Pod - result: fail - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-badpod02 - kind: Pod - result: fail -###### Pods - Good - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-goodpod01 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-goodpod02 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-goodpod03 - kind: Pod - result: pass -###### Deployments - Bad - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-baddeployment01 - kind: Deployment - result: fail - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-baddeployment02 - kind: Deployment - result: fail -###### Deployments - Good - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-gooddeployment01 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-gooddeployment02 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-gooddeployment03 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-badcronjob01 - kind: CronJob - result: fail - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-badcronjob02 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-goodcronjob01 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-goodcronjob02 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-supplementalgroups - resource: supgrp-goodcronjob03 - kind: CronJob - result: pass -######################### -## Rule: check-fsgroup ## -######################### -###### Pods - Bad - - policy: require-non-root-groups - rule: check-fsgroup - resource: fsgrp-badpod01 - kind: Pod - result: fail -###### Pods - Good - - policy: require-non-root-groups - rule: check-fsgroup - resource: fsgrp-goodpod01 - kind: Pod - result: pass - - policy: require-non-root-groups - rule: check-fsgroup - resource: fsgrp-goodpod02 - kind: Pod - result: pass -###### Deployments - Bad - - policy: require-non-root-groups - rule: check-fsgroup - resource: fsgrp-baddeployment01 - kind: Deployment - result: fail -###### Deployments - Good - - policy: require-non-root-groups - rule: check-fsgroup - resource: fsgrp-gooddeployment01 - kind: Deployment - result: pass - - policy: require-non-root-groups - rule: check-fsgroup - resource: fsgrp-gooddeployment02 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: require-non-root-groups - rule: check-fsgroup - resource: fsgrp-badcronjob01 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: require-non-root-groups - rule: check-fsgroup - resource: fsgrp-goodcronjob01 - kind: CronJob - result: pass - - policy: require-non-root-groups - rule: check-fsgroup - resource: fsgrp-goodcronjob02 - kind: CronJob - result: pass +- kind: Pod + policy: require-non-root-groups + resources: + - badpod01 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod02 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod03 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod04 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod05 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod06 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod07 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod08 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod09 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod10 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod11 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod12 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod13 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod14 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - badpod15 + result: fail + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod01 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod02 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod03 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod04 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod05 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod06 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod07 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod08 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod09 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - goodpod10 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment01 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment02 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment03 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment04 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment05 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment06 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment07 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment08 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment09 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment10 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment11 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment12 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment13 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment14 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - baddeployment15 + result: fail + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment01 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment02 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment03 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment04 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment05 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment06 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment07 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment08 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment09 + result: pass + rule: check-runasgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - gooddeployment10 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob01 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob02 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob03 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob04 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob05 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob06 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob07 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob08 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob09 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob10 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob11 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob12 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob13 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob14 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - badcronjob15 + result: fail + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob01 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob02 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob03 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob04 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob05 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob06 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob07 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob08 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob09 + result: pass + rule: check-runasgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - goodcronjob10 + result: pass + rule: check-runasgroup +- kind: Pod + policy: require-non-root-groups + resources: + - supgrp-badpod01 + result: fail + rule: check-supplementalgroups +- kind: Pod + policy: require-non-root-groups + resources: + - supgrp-badpod02 + result: fail + rule: check-supplementalgroups +- kind: Pod + policy: require-non-root-groups + resources: + - supgrp-goodpod01 + result: pass + rule: check-supplementalgroups +- kind: Pod + policy: require-non-root-groups + resources: + - supgrp-goodpod02 + result: pass + rule: check-supplementalgroups +- kind: Pod + policy: require-non-root-groups + resources: + - supgrp-goodpod03 + result: pass + rule: check-supplementalgroups +- kind: Deployment + policy: require-non-root-groups + resources: + - supgrp-baddeployment01 + result: fail + rule: check-supplementalgroups +- kind: Deployment + policy: require-non-root-groups + resources: + - supgrp-baddeployment02 + result: fail + rule: check-supplementalgroups +- kind: Deployment + policy: require-non-root-groups + resources: + - supgrp-gooddeployment01 + result: pass + rule: check-supplementalgroups +- kind: Deployment + policy: require-non-root-groups + resources: + - supgrp-gooddeployment02 + result: pass + rule: check-supplementalgroups +- kind: Deployment + policy: require-non-root-groups + resources: + - supgrp-gooddeployment03 + result: pass + rule: check-supplementalgroups +- kind: CronJob + policy: require-non-root-groups + resources: + - supgrp-badcronjob01 + result: fail + rule: check-supplementalgroups +- kind: CronJob + policy: require-non-root-groups + resources: + - supgrp-badcronjob02 + result: fail + rule: check-supplementalgroups +- kind: CronJob + policy: require-non-root-groups + resources: + - supgrp-goodcronjob01 + result: pass + rule: check-supplementalgroups +- kind: CronJob + policy: require-non-root-groups + resources: + - supgrp-goodcronjob02 + result: pass + rule: check-supplementalgroups +- kind: CronJob + policy: require-non-root-groups + resources: + - supgrp-goodcronjob03 + result: pass + rule: check-supplementalgroups +- kind: Pod + policy: require-non-root-groups + resources: + - fsgrp-badpod01 + result: fail + rule: check-fsgroup +- kind: Pod + policy: require-non-root-groups + resources: + - fsgrp-goodpod01 + result: pass + rule: check-fsgroup +- kind: Pod + policy: require-non-root-groups + resources: + - fsgrp-goodpod02 + result: pass + rule: check-fsgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - fsgrp-baddeployment01 + result: fail + rule: check-fsgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - fsgrp-gooddeployment01 + result: pass + rule: check-fsgroup +- kind: Deployment + policy: require-non-root-groups + resources: + - fsgrp-gooddeployment02 + result: pass + rule: check-fsgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - fsgrp-badcronjob01 + result: fail + rule: check-fsgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - fsgrp-goodcronjob01 + result: pass + rule: check-fsgroup +- kind: CronJob + policy: require-non-root-groups + resources: + - fsgrp-goodcronjob02 + result: pass + rule: check-fsgroup diff --git a/other/rec-req/require-pod-priorityclassname/kyverno-test.yaml b/other/rec-req/require-pod-priorityclassname/kyverno-test.yaml index 2a19e4ae8..5bd23c2f2 100644 --- a/other/rec-req/require-pod-priorityclassname/kyverno-test.yaml +++ b/other/rec-req/require-pod-priorityclassname/kyverno-test.yaml @@ -1,16 +1,18 @@ name: require-pod-priorityclassname policies: - - require-pod-priorityclassname.yaml +- require-pod-priorityclassname.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-pod-priorityclassname - rule: check-priorityclassname - resource: goodpod01 - kind: Pod - result: pass - - policy: require-pod-priorityclassname - rule: check-priorityclassname - resource: badpod01 - kind: Pod - result: fail +- kind: Pod + policy: require-pod-priorityclassname + resources: + - goodpod01 + result: pass + rule: check-priorityclassname +- kind: Pod + policy: require-pod-priorityclassname + resources: + - badpod01 + result: fail + rule: check-priorityclassname diff --git a/other/rec-req/require-storageclass/kyverno-test.yaml b/other/rec-req/require-storageclass/kyverno-test.yaml index 0e35fd91c..b5517a578 100644 --- a/other/rec-req/require-storageclass/kyverno-test.yaml +++ b/other/rec-req/require-storageclass/kyverno-test.yaml @@ -1,31 +1,36 @@ name: require-storageclass policies: - - require-storageclass.yaml +- require-storageclass.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-storageclass - rule: pvc-storageclass - resource: goodpvc - kind: PersistentVolumeClaim - result: pass - - policy: require-storageclass - rule: pvc-storageclass - resource: badpvc - kind: PersistentVolumeClaim - result: fail - - policy: require-storageclass - rule: ss-storageclass - resource: goodss - kind: StatefulSet - result: pass - - policy: require-storageclass - rule: ss-storageclass - resource: goodss-novct - kind: StatefulSet - result: pass - - policy: require-storageclass - rule: ss-storageclass - resource: badss - kind: StatefulSet - result: fail +- kind: PersistentVolumeClaim + policy: require-storageclass + resources: + - goodpvc + result: pass + rule: pvc-storageclass +- kind: PersistentVolumeClaim + policy: require-storageclass + resources: + - badpvc + result: fail + rule: pvc-storageclass +- kind: StatefulSet + policy: require-storageclass + resources: + - goodss + result: pass + rule: ss-storageclass +- kind: StatefulSet + policy: require-storageclass + resources: + - goodss-novct + result: pass + rule: ss-storageclass +- kind: StatefulSet + policy: require-storageclass + resources: + - badss + result: fail + rule: ss-storageclass diff --git a/other/rec-req/require-unique-external-dns/kyverno-test.yaml b/other/rec-req/require-unique-external-dns/kyverno-test.yaml index 8ddc87018..c4b5fe2b2 100644 --- a/other/rec-req/require-unique-external-dns/kyverno-test.yaml +++ b/other/rec-req/require-unique-external-dns/kyverno-test.yaml @@ -1,17 +1,19 @@ name: unique-external-dns policies: - - require-unique-external-dns.yaml +- require-unique-external-dns.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: unique-external-dns - rule: ensure-valid-externaldns-annotation - resource: bad-svc - kind: Service - result: fail - - policy: unique-external-dns - rule: ensure-valid-externaldns-annotation - resource: good-svc - kind: Service - result: pass \ No newline at end of file +- kind: Service + policy: unique-external-dns + resources: + - bad-svc + result: fail + rule: ensure-valid-externaldns-annotation +- kind: Service + policy: unique-external-dns + resources: + - good-svc + result: pass + rule: ensure-valid-externaldns-annotation +variables: values.yaml diff --git a/other/rec-req/require-unique-uid-per-workload/kyverno-test.yaml b/other/rec-req/require-unique-uid-per-workload/kyverno-test.yaml index 4aacfa941..6ef41239a 100644 --- a/other/rec-req/require-unique-uid-per-workload/kyverno-test.yaml +++ b/other/rec-req/require-unique-uid-per-workload/kyverno-test.yaml @@ -1,17 +1,19 @@ name: require-unique-uid-per-workload policies: - - require-unique-uid-per-workload.yaml +- require-unique-uid-per-workload.yaml resources: - - resource.yaml -variables: variables.yaml +- resource.yaml results: - - policy: require-unique-uid-per-workload - rule: require-unique-uid - resource: already-taken-user - kind: Pod - result: fail - - policy: require-unique-uid-per-workload - rule: require-unique-uid - resource: free-user - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: require-unique-uid-per-workload + resources: + - already-taken-user + result: fail + rule: require-unique-uid +- kind: Pod + policy: require-unique-uid-per-workload + resources: + - free-user + result: pass + rule: require-unique-uid +variables: variables.yaml diff --git a/other/res/resolve-image-to-digest/kyverno-test.yaml b/other/res/resolve-image-to-digest/kyverno-test.yaml index cf7f88465..bab87bdb5 100644 --- a/other/res/resolve-image-to-digest/kyverno-test.yaml +++ b/other/res/resolve-image-to-digest/kyverno-test.yaml @@ -1,14 +1,14 @@ name: resolve-image-to-digest policies: - - resolve-image-to-digest.yaml +- resolve-image-to-digest.yaml resources: - - pod.yaml -variables: values.yaml +- pod.yaml results: - - policy: resolve-image-to-digest - rule: resolve-to-digest - resource: busybox - patchedResource: patchedResource.yaml - kind: Pod - result: pass - +- kind: Pod + patchedResource: patchedResource.yaml + policy: resolve-image-to-digest + resources: + - busybox + result: pass + rule: resolve-to-digest +variables: values.yaml diff --git a/other/res/restrict-annotations/kyverno-test.yaml b/other/res/restrict-annotations/kyverno-test.yaml index 4d9f97043..9f2773ab6 100644 --- a/other/res/restrict-annotations/kyverno-test.yaml +++ b/other/res/restrict-annotations/kyverno-test.yaml @@ -1,21 +1,24 @@ name: restrict-annotations policies: - - restrict-annotations.yaml +- restrict-annotations.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-annotations - rule: block-flux-v1 - resource: myapp-pod - kind: Pod - result: fail - - policy: restrict-annotations - rule: block-flux-v1 - resource: mydeploy - kind: Deployment - result: fail - - policy: restrict-annotations - rule: block-flux-v1 - resource: hello - kind: CronJob - result: pass \ No newline at end of file +- kind: Pod + policy: restrict-annotations + resources: + - myapp-pod + result: fail + rule: block-flux-v1 +- kind: Deployment + policy: restrict-annotations + resources: + - mydeploy + result: fail + rule: block-flux-v1 +- kind: CronJob + policy: restrict-annotations + resources: + - hello + result: pass + rule: block-flux-v1 diff --git a/other/res/restrict-automount-sa-token/kyverno-test.yaml b/other/res/restrict-automount-sa-token/kyverno-test.yaml index dfddb1c37..3ab8f4921 100644 --- a/other/res/restrict-automount-sa-token/kyverno-test.yaml +++ b/other/res/restrict-automount-sa-token/kyverno-test.yaml @@ -1,26 +1,30 @@ name: restrict-automount-sa-token policies: - - restrict-automount-sa-token.yaml +- restrict-automount-sa-token.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-automount-sa-token - rule: validate-automountServiceAccountToken - resource: myapp-pod - kind: Pod - result: pass - - policy: restrict-automount-sa-token - rule: validate-automountServiceAccountToken - resource: mydeploy - kind: Deployment - result: fail - - policy: restrict-automount-sa-token - rule: validate-automountServiceAccountToken - resource: policy-reporter - kind: Pod - result: skip - - policy: restrict-automount-sa-token - rule: validate-automountServiceAccountToken - resource: deploy-policy-reporter - kind: Deployment - result: skip \ No newline at end of file +- kind: Pod + policy: restrict-automount-sa-token + resources: + - myapp-pod + result: pass + rule: validate-automountServiceAccountToken +- kind: Deployment + policy: restrict-automount-sa-token + resources: + - mydeploy + result: fail + rule: validate-automountServiceAccountToken +- kind: Pod + policy: restrict-automount-sa-token + resources: + - policy-reporter + result: skip + rule: validate-automountServiceAccountToken +- kind: Deployment + policy: restrict-automount-sa-token + resources: + - deploy-policy-reporter + result: skip + rule: validate-automountServiceAccountToken diff --git a/other/res/restrict-controlplane-scheduling/kyverno-test.yaml b/other/res/restrict-controlplane-scheduling/kyverno-test.yaml index ec9280804..69cf0d61a 100644 --- a/other/res/restrict-controlplane-scheduling/kyverno-test.yaml +++ b/other/res/restrict-controlplane-scheduling/kyverno-test.yaml @@ -1,30 +1,34 @@ name: restrict-controlplane-scheduling policies: - - restrict-controlplane-scheduling.yaml +- restrict-controlplane-scheduling.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-controlplane-scheduling - rule: restrict-controlplane-scheduling-master - resource: myapp-pod-1 - kind: Pod - namespace: default - result: fail - - policy: restrict-controlplane-scheduling - rule: restrict-controlplane-scheduling-control-plane - resource: myapp-pod-2 - kind: Pod - namespace: default - result: fail - - policy: restrict-controlplane-scheduling - rule: restrict-controlplane-scheduling-master - resource: myapp-pod-2 - kind: Pod - namespace: default - result: pass - - policy: restrict-controlplane-scheduling - rule: restrict-controlplane-scheduling-control-plane - resource: myapp-pod-1 - kind: Pod - namespace: default - result: pass \ No newline at end of file +- kind: Pod + namespace: default + policy: restrict-controlplane-scheduling + resources: + - myapp-pod-1 + result: fail + rule: restrict-controlplane-scheduling-master +- kind: Pod + namespace: default + policy: restrict-controlplane-scheduling + resources: + - myapp-pod-2 + result: fail + rule: restrict-controlplane-scheduling-control-plane +- kind: Pod + namespace: default + policy: restrict-controlplane-scheduling + resources: + - myapp-pod-2 + result: pass + rule: restrict-controlplane-scheduling-master +- kind: Pod + namespace: default + policy: restrict-controlplane-scheduling + resources: + - myapp-pod-1 + result: pass + rule: restrict-controlplane-scheduling-control-plane diff --git a/other/res/restrict-deprecated-registry/kyverno-test.yaml b/other/res/restrict-deprecated-registry/kyverno-test.yaml index a947531a3..d4ad57643 100644 --- a/other/res/restrict-deprecated-registry/kyverno-test.yaml +++ b/other/res/restrict-deprecated-registry/kyverno-test.yaml @@ -1,18 +1,20 @@ name: restrict-deprecated-registry policies: - - restrict-deprecated-registry.yaml +- restrict-deprecated-registry.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-deprecated-registry - rule: restrict-deprecated-registry - resource: test-pod-bad - kind: Pod - namespace: policy-test - result: fail - - policy: restrict-deprecated-registry - rule: restrict-deprecated-registry - resource: test-pod-good - kind: Pod - namespace: policy-test - result: pass +- kind: Pod + namespace: policy-test + policy: restrict-deprecated-registry + resources: + - test-pod-bad + result: fail + rule: restrict-deprecated-registry +- kind: Pod + namespace: policy-test + policy: restrict-deprecated-registry + resources: + - test-pod-good + result: pass + rule: restrict-deprecated-registry diff --git a/other/res/restrict-ingress-classes/kyverno-test.yaml b/other/res/restrict-ingress-classes/kyverno-test.yaml index 8b009f2e8..d853ede49 100644 --- a/other/res/restrict-ingress-classes/kyverno-test.yaml +++ b/other/res/restrict-ingress-classes/kyverno-test.yaml @@ -1,18 +1,20 @@ name: restrict-ingress-classes policies: - - restrict-ingress-classes.yaml +- restrict-ingress-classes.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-ingress-classes - rule: validate-ingress - resource: minimal-ingress-1 - kind: Ingress - namespace: default - result: pass - - policy: restrict-ingress-classes - rule: validate-ingress - resource: minimal-ingress-2 - kind: Ingress - namespace: default - result: fail \ No newline at end of file +- kind: Ingress + namespace: default + policy: restrict-ingress-classes + resources: + - minimal-ingress-1 + result: pass + rule: validate-ingress +- kind: Ingress + namespace: default + policy: restrict-ingress-classes + resources: + - minimal-ingress-2 + result: fail + rule: validate-ingress diff --git a/other/res/restrict-ingress-defaultbackend/kyverno-test.yaml b/other/res/restrict-ingress-defaultbackend/kyverno-test.yaml index f85430273..b88767ae4 100644 --- a/other/res/restrict-ingress-defaultbackend/kyverno-test.yaml +++ b/other/res/restrict-ingress-defaultbackend/kyverno-test.yaml @@ -1,18 +1,20 @@ name: restrict-node-defaultbackend policies: - - restrict-ingress-defaultbackend.yaml +- restrict-ingress-defaultbackend.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-ingress-defaultbackend - rule: restrict-ingress-defaultbackend - resource: sample-app-1 - kind: Ingress - namespace: default - result: fail - - policy: restrict-ingress-defaultbackend - rule: restrict-ingress-defaultbackend - resource: sample-app-2 - kind: Ingress - namespace: default - result: pass +- kind: Ingress + namespace: default + policy: restrict-ingress-defaultbackend + resources: + - sample-app-1 + result: fail + rule: restrict-ingress-defaultbackend +- kind: Ingress + namespace: default + policy: restrict-ingress-defaultbackend + resources: + - sample-app-2 + result: pass + rule: restrict-ingress-defaultbackend diff --git a/other/res/restrict-ingress-host/kyverno-test.yaml b/other/res/restrict-ingress-host/kyverno-test.yaml index 63e52a9eb..3f4028366 100644 --- a/other/res/restrict-ingress-host/kyverno-test.yaml +++ b/other/res/restrict-ingress-host/kyverno-test.yaml @@ -1,27 +1,31 @@ name: unique-ingress-host policies: - - restrict-ingress-host.yaml +- restrict-ingress-host.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: unique-ingress-host - rule: check-single-host-create - resource: ingress-kyverno-host - kind: Ingress - result: fail - - policy: unique-ingress-host - rule: check-single-host-create - resource: ingress-foo-host - kind: Ingress - result: pass - - policy: unique-ingress-host - rule: deny-multiple-hosts - resource: ingress-kyverno-host - kind: Ingress - result: skip - - policy: unique-ingress-host - rule: deny-multiple-hosts - resource: ingress-foo-host - kind: Ingress - result: fail \ No newline at end of file +- kind: Ingress + policy: unique-ingress-host + resources: + - ingress-kyverno-host + result: fail + rule: check-single-host-create +- kind: Ingress + policy: unique-ingress-host + resources: + - ingress-foo-host + result: pass + rule: check-single-host-create +- kind: Ingress + policy: unique-ingress-host + resources: + - ingress-kyverno-host + result: skip + rule: deny-multiple-hosts +- kind: Ingress + policy: unique-ingress-host + resources: + - ingress-foo-host + result: fail + rule: deny-multiple-hosts +variables: values.yaml diff --git a/other/res/restrict-ingress-wildcard/kyverno-test.yaml b/other/res/restrict-ingress-wildcard/kyverno-test.yaml index b725a09b9..d62e5df4c 100644 --- a/other/res/restrict-ingress-wildcard/kyverno-test.yaml +++ b/other/res/restrict-ingress-wildcard/kyverno-test.yaml @@ -1,26 +1,30 @@ name: restrict-ingress-wildcard policies: - - restrict-ingress-wildcard.yaml +- restrict-ingress-wildcard.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: restrict-ingress-wildcard - rule: block-ingress-wildcard - resource: bading01 - kind: Ingress - result: fail - - policy: restrict-ingress-wildcard - rule: block-ingress-wildcard - resource: bading02 - kind: Ingress - result: fail - - policy: restrict-ingress-wildcard - rule: block-ingress-wildcard - resource: gooding01 - kind: Ingress - result: pass - - policy: restrict-ingress-wildcard - rule: block-ingress-wildcard - resource: gooding02 - kind: Ingress - result: pass +- kind: Ingress + policy: restrict-ingress-wildcard + resources: + - bading01 + result: fail + rule: block-ingress-wildcard +- kind: Ingress + policy: restrict-ingress-wildcard + resources: + - bading02 + result: fail + rule: block-ingress-wildcard +- kind: Ingress + policy: restrict-ingress-wildcard + resources: + - gooding01 + result: pass + rule: block-ingress-wildcard +- kind: Ingress + policy: restrict-ingress-wildcard + resources: + - gooding02 + result: pass + rule: block-ingress-wildcard diff --git a/other/res/restrict-loadbalancer/kyverno-test.yaml b/other/res/restrict-loadbalancer/kyverno-test.yaml index c763cc180..600b32c23 100644 --- a/other/res/restrict-loadbalancer/kyverno-test.yaml +++ b/other/res/restrict-loadbalancer/kyverno-test.yaml @@ -1,19 +1,20 @@ name: no-loadbalancer-service policies: - - restrict-loadbalancer.yaml +- restrict-loadbalancer.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: no-loadbalancer-service - rule: no-LoadBalancer - resource: my-service-1 - kind: Service - namespace: default - result: fail - - policy: no-loadbalancer-service - rule: no-LoadBalancer - resource: my-service-2 - kind: Service - namespace: default - result: pass - \ No newline at end of file +- kind: Service + namespace: default + policy: no-loadbalancer-service + resources: + - my-service-1 + result: fail + rule: no-LoadBalancer +- kind: Service + namespace: default + policy: no-loadbalancer-service + resources: + - my-service-2 + result: pass + rule: no-LoadBalancer diff --git a/other/res/restrict-node-affinity/kyverno-test.yaml b/other/res/restrict-node-affinity/kyverno-test.yaml index e901209c6..094ae54bc 100644 --- a/other/res/restrict-node-affinity/kyverno-test.yaml +++ b/other/res/restrict-node-affinity/kyverno-test.yaml @@ -1,26 +1,30 @@ name: restrict-node-affinity policies: - - restrict-node-affinity.yaml +- restrict-node-affinity.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-node-affinity - rule: check-nodeaffinity - resource: goodpod01 - kind: Pod - result: pass - - policy: restrict-node-affinity - rule: check-nodeaffinity - resource: badpod01 - kind: Pod - result: fail - - policy: restrict-node-affinity - rule: check-nodeaffinity - resource: baddeploy01 - kind: Deployment - result: fail - - policy: restrict-node-affinity - rule: check-nodeaffinity - resource: gooddeploy01 - kind: Deployment - result: pass \ No newline at end of file +- kind: Pod + policy: restrict-node-affinity + resources: + - goodpod01 + result: pass + rule: check-nodeaffinity +- kind: Pod + policy: restrict-node-affinity + resources: + - badpod01 + result: fail + rule: check-nodeaffinity +- kind: Deployment + policy: restrict-node-affinity + resources: + - baddeploy01 + result: fail + rule: check-nodeaffinity +- kind: Deployment + policy: restrict-node-affinity + resources: + - gooddeploy01 + result: pass + rule: check-nodeaffinity diff --git a/other/res/restrict-node-selection/kyverno-test.yaml b/other/res/restrict-node-selection/kyverno-test.yaml index 3c0b68d8a..71de5ed98 100644 --- a/other/res/restrict-node-selection/kyverno-test.yaml +++ b/other/res/restrict-node-selection/kyverno-test.yaml @@ -1,30 +1,34 @@ name: restrict-node-selection policies: - - restrict-node-selection.yaml +- restrict-node-selection.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-node-selection - rule: restrict-nodeselector - resource: myapp-pod-1 - kind: Pod - namespace: default - result: fail - - policy: restrict-node-selection - rule: restrict-nodename - resource: myapp-pod-1 - kind: Pod - namespace: default - result: pass - - policy: restrict-node-selection - rule: restrict-nodeselector - resource: myapp-pod-2 - kind: Pod - namespace: default - result: pass - - policy: restrict-node-selection - rule: restrict-nodename - resource: myapp-pod-2 - kind: Pod - namespace: default - result: fail \ No newline at end of file +- kind: Pod + namespace: default + policy: restrict-node-selection + resources: + - myapp-pod-1 + result: fail + rule: restrict-nodeselector +- kind: Pod + namespace: default + policy: restrict-node-selection + resources: + - myapp-pod-1 + result: pass + rule: restrict-nodename +- kind: Pod + namespace: default + policy: restrict-node-selection + resources: + - myapp-pod-2 + result: pass + rule: restrict-nodeselector +- kind: Pod + namespace: default + policy: restrict-node-selection + resources: + - myapp-pod-2 + result: fail + rule: restrict-nodename diff --git a/other/res/restrict-pod-count-per-node/kyverno-test.yaml b/other/res/restrict-pod-count-per-node/kyverno-test.yaml index ba6cd129d..ed0ba52bf 100644 --- a/other/res/restrict-pod-count-per-node/kyverno-test.yaml +++ b/other/res/restrict-pod-count-per-node/kyverno-test.yaml @@ -1,12 +1,13 @@ name: restrict-pod-count policies: - - restrict-pod-count-per-node.yaml +- restrict-pod-count-per-node.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: restrict-pod-count - rule: restrict-pod-count - resource: myapp-pod - kind: Pod - status: fail \ No newline at end of file +- kind: Pod + policy: restrict-pod-count + resources: + - myapp-pod + result: fail + rule: restrict-pod-count +variables: values.yaml diff --git a/other/res/restrict-secrets-by-label/kyverno-test.yaml b/other/res/restrict-secrets-by-label/kyverno-test.yaml index f1961c3f8..0ce199d90 100644 --- a/other/res/restrict-secrets-by-label/kyverno-test.yaml +++ b/other/res/restrict-secrets-by-label/kyverno-test.yaml @@ -1,59 +1,61 @@ name: restrict-secrets-by-label policies: - - restrict-secrets-by-label.yaml +- restrict-secrets-by-label.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: -# checking pod resource secret-env-pod against all three rules - - policy: restrict-secrets-by-label - rule: secrets-lookup-from-env - resource: secret-env-pod - kind: Pod - result: pass - - policy: restrict-secrets-by-label - rule: secrets-lookup-from-envfrom - resource: secret-env-pod - kind: Pod - result: skip - - policy: restrict-secrets-by-label - rule: secrets-lookup-from-volumes - resource: secret-env-pod - kind: Pod - result: skip - -# checking pod resource secret-ref-pod against all three rules - - policy: restrict-secrets-by-label - rule: secrets-lookup-from-env - resource: secret-ref-pod - kind: Pod - result: skip - - policy: restrict-secrets-by-label - rule: secrets-lookup-from-envfrom - resource: secret-ref-pod - kind: Pod - result: fail # status : protected - - policy: restrict-secrets-by-label - rule: secrets-lookup-from-volumes - resource: secret-ref-pod - kind: Pod - result: skip - -# checking pod resource secret-vol-pod against all three rules - - policy: restrict-secrets-by-label - rule: secrets-lookup-from-env - resource: secret-vol-pod - kind: Pod - result: skip - - policy: restrict-secrets-by-label - rule: secrets-lookup-from-envfrom - resource: secret-vol-pod - kind: Pod - result: skip - - policy: restrict-secrets-by-label - rule: secrets-lookup-from-volumes - resource: secret-vol-pod - kind: Pod - result: pass - - \ No newline at end of file +- kind: Pod + policy: restrict-secrets-by-label + resources: + - secret-env-pod + result: pass + rule: secrets-lookup-from-env +- kind: Pod + policy: restrict-secrets-by-label + resources: + - secret-env-pod + result: skip + rule: secrets-lookup-from-envfrom +- kind: Pod + policy: restrict-secrets-by-label + resources: + - secret-env-pod + result: skip + rule: secrets-lookup-from-volumes +- kind: Pod + policy: restrict-secrets-by-label + resources: + - secret-ref-pod + result: skip + rule: secrets-lookup-from-env +- kind: Pod + policy: restrict-secrets-by-label + resources: + - secret-ref-pod + result: fail + rule: secrets-lookup-from-envfrom +- kind: Pod + policy: restrict-secrets-by-label + resources: + - secret-ref-pod + result: skip + rule: secrets-lookup-from-volumes +- kind: Pod + policy: restrict-secrets-by-label + resources: + - secret-vol-pod + result: skip + rule: secrets-lookup-from-env +- kind: Pod + policy: restrict-secrets-by-label + resources: + - secret-vol-pod + result: skip + rule: secrets-lookup-from-envfrom +- kind: Pod + policy: restrict-secrets-by-label + resources: + - secret-vol-pod + result: pass + rule: secrets-lookup-from-volumes +variables: values.yaml diff --git a/other/res/restrict-secrets-by-name/kyverno-test.yaml b/other/res/restrict-secrets-by-name/kyverno-test.yaml index 6be9e1170..d9ae146ee 100644 --- a/other/res/restrict-secrets-by-name/kyverno-test.yaml +++ b/other/res/restrict-secrets-by-name/kyverno-test.yaml @@ -1,51 +1,60 @@ name: test-secrets-policy policies: - - restrict-secrets-by-name.yaml +- restrict-secrets-by-name.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-secrets-by-name - rule: safe-secrets-from-envfrom - resource: good-pod-all - kind: Pod - result: pass - - policy: restrict-secrets-by-name - rule: safe-secrets-from-env - resource: good-pod-all - kind: Pod - result: pass - - policy: restrict-secrets-by-name - rule: safe-secrets-from-volumes - resource: good-pod-all - kind: Pod - result: pass - - policy: restrict-secrets-by-name - rule: safe-secrets-from-volumes - resource: bad-pod-vol - kind: Pod - result: fail - - policy: restrict-secrets-by-name - rule: safe-secrets-from-env - resource: bad-pod-env - kind: Pod - result: fail - - policy: restrict-secrets-by-name - rule: safe-secrets-from-envfrom - resource: bad-pod-envfrom - kind: Pod - result: fail - - policy: restrict-secrets-by-name - rule: safe-secrets-from-env - resource: bad-deploy-env - kind: Deployment - result: fail - - policy: restrict-secrets-by-name - rule: safe-secrets-from-envfrom - resource: bad-deploy-envfrom - kind: Deployment - result: fail - - policy: restrict-secrets-by-name - rule: safe-secrets-from-volumes - resource: bad-deploy-vol - kind: Deployment - result: fail +- kind: Pod + policy: restrict-secrets-by-name + resources: + - good-pod-all + result: pass + rule: safe-secrets-from-envfrom +- kind: Pod + policy: restrict-secrets-by-name + resources: + - good-pod-all + result: pass + rule: safe-secrets-from-env +- kind: Pod + policy: restrict-secrets-by-name + resources: + - good-pod-all + result: pass + rule: safe-secrets-from-volumes +- kind: Pod + policy: restrict-secrets-by-name + resources: + - bad-pod-vol + result: fail + rule: safe-secrets-from-volumes +- kind: Pod + policy: restrict-secrets-by-name + resources: + - bad-pod-env + result: fail + rule: safe-secrets-from-env +- kind: Pod + policy: restrict-secrets-by-name + resources: + - bad-pod-envfrom + result: fail + rule: safe-secrets-from-envfrom +- kind: Deployment + policy: restrict-secrets-by-name + resources: + - bad-deploy-env + result: fail + rule: safe-secrets-from-env +- kind: Deployment + policy: restrict-secrets-by-name + resources: + - bad-deploy-envfrom + result: fail + rule: safe-secrets-from-envfrom +- kind: Deployment + policy: restrict-secrets-by-name + resources: + - bad-deploy-vol + result: fail + rule: safe-secrets-from-volumes diff --git a/other/res/restrict-service-account/kyverno-test.yaml b/other/res/restrict-service-account/kyverno-test.yaml index 370ddefd8..4c1474c70 100644 --- a/other/res/restrict-service-account/kyverno-test.yaml +++ b/other/res/restrict-service-account/kyverno-test.yaml @@ -1,18 +1,19 @@ name: restrict-service-account policies: - - restrict-service-account.yaml +- restrict-service-account.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: restrict-service-account - rule: validate-service-account - resource: goodpod01 - kind: Pod - result: pass - - - policy: restrict-service-account - rule: validate-service-account - resource: badpod01 - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + policy: restrict-service-account + resources: + - goodpod01 + result: pass + rule: validate-service-account +- kind: Pod + policy: restrict-service-account + resources: + - badpod01 + result: fail + rule: validate-service-account +variables: values.yaml diff --git a/other/res/restrict-service-port-range/kyverno-test.yaml b/other/res/restrict-service-port-range/kyverno-test.yaml index 3a6d03de5..a708fb798 100644 --- a/other/res/restrict-service-port-range/kyverno-test.yaml +++ b/other/res/restrict-service-port-range/kyverno-test.yaml @@ -1,16 +1,18 @@ name: restrict-service-port-range policies: - - restrict-service-port-range.yaml +- restrict-service-port-range.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-service-port-range - rule: restrict-port-range - resource: bad-service - kind: Service - result: fail - - policy: restrict-service-port-range - rule: restrict-port-range - resource: good-service - kind: Service - result: pass \ No newline at end of file +- kind: Service + policy: restrict-service-port-range + resources: + - bad-service + result: fail + rule: restrict-port-range +- kind: Service + policy: restrict-service-port-range + resources: + - good-service + result: pass + rule: restrict-port-range diff --git a/other/res/restrict-storageclass/kyverno-test.yaml b/other/res/restrict-storageclass/kyverno-test.yaml index e491b2367..5288e1bf7 100644 --- a/other/res/restrict-storageclass/kyverno-test.yaml +++ b/other/res/restrict-storageclass/kyverno-test.yaml @@ -1,17 +1,18 @@ name: restrict-storageclass policies: - - restrict-storageclass.yaml +- restrict-storageclass.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-storageclass - rule: storageclass-delete - resource: badstorageclass - kind: StorageClass - result: fail - - policy: restrict-storageclass - rule: storageclass-delete - resource: goodstorageclass - kind: StorageClass - result: pass - \ No newline at end of file +- kind: StorageClass + policy: restrict-storageclass + resources: + - badstorageclass + result: fail + rule: storageclass-delete +- kind: StorageClass + policy: restrict-storageclass + resources: + - goodstorageclass + result: pass + rule: storageclass-delete diff --git a/other/res/restrict-usergroup-fsgroup-id/kyverno-test.yaml b/other/res/restrict-usergroup-fsgroup-id/kyverno-test.yaml index fafa237dc..5f1136a67 100644 --- a/other/res/restrict-usergroup-fsgroup-id/kyverno-test.yaml +++ b/other/res/restrict-usergroup-fsgroup-id/kyverno-test.yaml @@ -1,24 +1,27 @@ name: validate-userid-groupid-fsgroup policies: - - restrict-usergroup-fsgroup-id.yaml +- restrict-usergroup-fsgroup-id.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: validate-userid-groupid-fsgroup - rule: validate-userid - resource: myapp-pod - kind: Pod - namespace: default - result: pass - - policy: validate-userid-groupid-fsgroup - rule: validate-groupid - resource: myapp-pod - kind: Pod - namespace: default - result: pass - - policy: validate-userid-groupid-fsgroup - rule: validate-fsgroup - resource: myapp-pod - kind: Pod - namespace: default - result: pass \ No newline at end of file +- kind: Pod + namespace: default + policy: validate-userid-groupid-fsgroup + resources: + - myapp-pod + result: pass + rule: validate-userid +- kind: Pod + namespace: default + policy: validate-userid-groupid-fsgroup + resources: + - myapp-pod + result: pass + rule: validate-groupid +- kind: Pod + namespace: default + policy: validate-userid-groupid-fsgroup + resources: + - myapp-pod + result: pass + rule: validate-fsgroup diff --git a/other/s-z/spread-pods-across-topology/kyverno-test.yaml b/other/s-z/spread-pods-across-topology/kyverno-test.yaml index c1de4cbdb..1e4812c03 100644 --- a/other/s-z/spread-pods-across-topology/kyverno-test.yaml +++ b/other/s-z/spread-pods-across-topology/kyverno-test.yaml @@ -1,12 +1,13 @@ name: spread-pods policies: - - spread-pods-across-topology.yaml +- spread-pods-across-topology.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: spread-pods - rule: spread-pods-across-nodes - resource: mydeploy - kind: Deployment - patchedResource: patchedResource.yaml - result: pass \ No newline at end of file +- kind: Deployment + patchedResource: patchedResource.yaml + policy: spread-pods + resources: + - mydeploy + result: pass + rule: spread-pods-across-nodes diff --git a/pod-security/baseline/disallow-capabilities/kyverno-test.yaml b/pod-security/baseline/disallow-capabilities/kyverno-test.yaml index 1540aa033..ea47a611f 100644 --- a/pod-security/baseline/disallow-capabilities/kyverno-test.yaml +++ b/pod-security/baseline/disallow-capabilities/kyverno-test.yaml @@ -1,192 +1,222 @@ name: disallow-capabilities policies: - - disallow-capabilities.yaml +- disallow-capabilities.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: disallow-capabilities - rule: adding-capabilities - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badpod05 - kind: Pod - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badpod06 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodpod05 - kind: Pod - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodpod06 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-capabilities - rule: adding-capabilities - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: baddeployment05 - kind: Deployment - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: baddeployment06 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-capabilities - rule: adding-capabilities - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: gooddeployment06 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-capabilities - rule: adding-capabilities - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badcronjob05 - kind: CronJob - result: fail - - policy: disallow-capabilities - rule: adding-capabilities - resource: badcronjob06 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-capabilities - rule: adding-capabilities - resource: goodcronjob06 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-capabilities + resources: + - badpod01 + result: fail + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - badpod02 + result: fail + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - badpod03 + result: fail + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - badpod04 + result: fail + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - badpod05 + result: fail + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - badpod06 + result: fail + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - goodpod01 + result: pass + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - goodpod02 + result: pass + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - goodpod03 + result: pass + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - goodpod04 + result: pass + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - goodpod05 + result: pass + rule: adding-capabilities +- kind: Pod + policy: disallow-capabilities + resources: + - goodpod06 + result: pass + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - baddeployment01 + result: fail + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - baddeployment02 + result: fail + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - baddeployment03 + result: fail + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - baddeployment04 + result: fail + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - baddeployment05 + result: fail + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - baddeployment06 + result: fail + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - gooddeployment01 + result: pass + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - gooddeployment02 + result: pass + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - gooddeployment03 + result: pass + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - gooddeployment04 + result: pass + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - gooddeployment05 + result: pass + rule: adding-capabilities +- kind: Deployment + policy: disallow-capabilities + resources: + - gooddeployment06 + result: pass + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - badcronjob01 + result: fail + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - badcronjob02 + result: fail + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - badcronjob03 + result: fail + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - badcronjob04 + result: fail + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - badcronjob05 + result: fail + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - badcronjob06 + result: fail + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - goodcronjob01 + result: pass + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - goodcronjob02 + result: pass + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - goodcronjob03 + result: pass + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - goodcronjob04 + result: pass + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - goodcronjob05 + result: pass + rule: adding-capabilities +- kind: CronJob + policy: disallow-capabilities + resources: + - goodcronjob06 + result: pass + rule: adding-capabilities diff --git a/pod-security/baseline/disallow-host-namespaces/kyverno-test.yaml b/pod-security/baseline/disallow-host-namespaces/kyverno-test.yaml index 351598a95..124392e1e 100644 --- a/pod-security/baseline/disallow-host-namespaces/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-namespaces/kyverno-test.yaml @@ -1,147 +1,168 @@ name: disallow-host-namespaces policies: - - disallow-host-namespaces.yaml +- disallow-host-namespaces.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: disallow-host-namespaces - rule: host-namespaces - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-host-namespaces - rule: host-namespaces - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-host-namespaces - rule: host-namespaces - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-host-namespaces - rule: host-namespaces - resource: badpod04 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodpod05 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-host-namespaces - rule: host-namespaces - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-host-namespaces - rule: host-namespaces - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-host-namespaces - rule: host-namespaces - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-host-namespaces - rule: host-namespaces - resource: baddeployment04 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-host-namespaces - rule: host-namespaces - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: gooddeployment05 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-host-namespaces - rule: host-namespaces - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-host-namespaces - rule: host-namespaces - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-host-namespaces - rule: host-namespaces - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-host-namespaces - rule: host-namespaces - resource: badcronjob04 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-host-namespaces - rule: host-namespaces - resource: goodcronjob05 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-host-namespaces + resources: + - badpod01 + result: fail + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - badpod02 + result: fail + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - badpod03 + result: fail + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - badpod04 + result: fail + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - goodpod01 + result: pass + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - goodpod02 + result: pass + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - goodpod03 + result: pass + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - goodpod04 + result: pass + rule: host-namespaces +- kind: Pod + policy: disallow-host-namespaces + resources: + - goodpod05 + result: pass + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - baddeployment01 + result: fail + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - baddeployment02 + result: fail + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - baddeployment03 + result: fail + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - baddeployment04 + result: fail + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - gooddeployment01 + result: pass + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - gooddeployment02 + result: pass + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - gooddeployment03 + result: pass + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - gooddeployment04 + result: pass + rule: host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - gooddeployment05 + result: pass + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - badcronjob01 + result: fail + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - badcronjob02 + result: fail + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - badcronjob03 + result: fail + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - badcronjob04 + result: fail + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - goodcronjob01 + result: pass + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - goodcronjob02 + result: pass + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - goodcronjob03 + result: pass + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - goodcronjob04 + result: pass + rule: host-namespaces +- kind: CronJob + policy: disallow-host-namespaces + resources: + - goodcronjob05 + result: pass + rule: host-namespaces diff --git a/pod-security/baseline/disallow-host-path/kyverno-test.yaml b/pod-security/baseline/disallow-host-path/kyverno-test.yaml index f173a2a27..e8727e8da 100644 --- a/pod-security/baseline/disallow-host-path/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-path/kyverno-test.yaml @@ -1,72 +1,78 @@ name: disallow-host-path policies: - - disallow-host-path.yaml +- disallow-host-path.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: disallow-host-path - rule: host-path - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-host-path - rule: host-path - resource: badpod02 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-host-path - rule: host-path - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-host-path - rule: host-path - resource: goodpod02 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-host-path - rule: host-path - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-host-path - rule: host-path - resource: baddeployment02 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-host-path - rule: host-path - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-host-path - rule: host-path - resource: gooddeployment02 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-host-path - rule: host-path - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-host-path - rule: host-path - resource: badcronjob02 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-host-path - rule: host-path - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-host-path - rule: host-path - resource: goodcronjob02 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-host-path + resources: + - badpod01 + result: fail + rule: host-path +- kind: Pod + policy: disallow-host-path + resources: + - badpod02 + result: fail + rule: host-path +- kind: Pod + policy: disallow-host-path + resources: + - goodpod01 + result: pass + rule: host-path +- kind: Pod + policy: disallow-host-path + resources: + - goodpod02 + result: pass + rule: host-path +- kind: Deployment + policy: disallow-host-path + resources: + - baddeployment01 + result: fail + rule: host-path +- kind: Deployment + policy: disallow-host-path + resources: + - baddeployment02 + result: fail + rule: host-path +- kind: Deployment + policy: disallow-host-path + resources: + - gooddeployment01 + result: pass + rule: host-path +- kind: Deployment + policy: disallow-host-path + resources: + - gooddeployment02 + result: pass + rule: host-path +- kind: CronJob + policy: disallow-host-path + resources: + - badcronjob01 + result: fail + rule: host-path +- kind: CronJob + policy: disallow-host-path + resources: + - badcronjob02 + result: fail + rule: host-path +- kind: CronJob + policy: disallow-host-path + resources: + - goodcronjob01 + result: pass + rule: host-path +- kind: CronJob + policy: disallow-host-path + resources: + - goodcronjob02 + result: pass + rule: host-path diff --git a/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml b/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml index c44d66c11..bab2a3022 100644 --- a/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml @@ -1,312 +1,366 @@ name: disallow-host-ports-range policies: - - disallow-host-ports-range.yaml +- disallow-host-ports-range.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod05 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod06 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod07 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod08 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod09 - kind: Pod - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badpod10 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod05 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod06 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod07 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod08 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod09 - kind: Pod - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodpod10 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment05 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment06 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment07 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment08 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment09 - kind: Deployment - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: baddeployment10 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment09 - kind: Deployment - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: gooddeployment10 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob05 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob06 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob07 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob08 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob09 - kind: CronJob - result: fail - - policy: disallow-host-ports-range - rule: host-port-range - resource: badcronjob10 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob09 - kind: CronJob - result: pass - - policy: disallow-host-ports-range - rule: host-port-range - resource: goodcronjob10 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod01 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod02 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod03 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod04 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod05 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod06 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod07 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod08 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod09 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - badpod10 + result: fail + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod01 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod02 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod03 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod04 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod05 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod06 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod07 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod08 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod09 + result: pass + rule: host-port-range +- kind: Pod + policy: disallow-host-ports-range + resources: + - goodpod10 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment01 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment02 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment03 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment04 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment05 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment06 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment07 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment08 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment09 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - baddeployment10 + result: fail + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment01 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment02 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment03 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment04 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment05 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment06 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment07 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment08 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment09 + result: pass + rule: host-port-range +- kind: Deployment + policy: disallow-host-ports-range + resources: + - gooddeployment10 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob01 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob02 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob03 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob04 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob05 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob06 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob07 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob08 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob09 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - badcronjob10 + result: fail + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob01 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob02 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob03 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob04 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob05 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob06 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob07 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob08 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob09 + result: pass + rule: host-port-range +- kind: CronJob + policy: disallow-host-ports-range + resources: + - goodcronjob10 + result: pass + rule: host-port-range diff --git a/pod-security/baseline/disallow-host-ports/kyverno-test.yaml b/pod-security/baseline/disallow-host-ports/kyverno-test.yaml index 551f8be5a..bbae5544e 100644 --- a/pod-security/baseline/disallow-host-ports/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-ports/kyverno-test.yaml @@ -1,312 +1,366 @@ name: disallow-host-ports policies: - - disallow-host-ports.yaml +- disallow-host-ports.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod05 - kind: Pod - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod06 - kind: Pod - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod07 - kind: Pod - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod08 - kind: Pod - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod09 - kind: Pod - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badpod10 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod05 - kind: Pod - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod06 - kind: Pod - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod07 - kind: Pod - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod08 - kind: Pod - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod09 - kind: Pod - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodpod10 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment05 - kind: Deployment - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment06 - kind: Deployment - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment07 - kind: Deployment - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment08 - kind: Deployment - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment09 - kind: Deployment - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: baddeployment10 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment09 - kind: Deployment - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: gooddeployment10 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob05 - kind: CronJob - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob06 - kind: CronJob - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob07 - kind: CronJob - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob08 - kind: CronJob - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob09 - kind: CronJob - result: fail - - policy: disallow-host-ports - rule: host-ports-none - resource: badcronjob10 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob09 - kind: CronJob - result: pass - - policy: disallow-host-ports - rule: host-ports-none - resource: goodcronjob10 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-host-ports + resources: + - badpod01 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod02 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod03 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod04 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod05 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod06 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod07 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod08 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod09 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - badpod10 + result: fail + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod01 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod02 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod03 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod04 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod05 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod06 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod07 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod08 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod09 + result: pass + rule: host-ports-none +- kind: Pod + policy: disallow-host-ports + resources: + - goodpod10 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment01 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment02 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment03 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment04 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment05 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment06 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment07 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment08 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment09 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - baddeployment10 + result: fail + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment01 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment02 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment03 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment04 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment05 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment06 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment07 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment08 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment09 + result: pass + rule: host-ports-none +- kind: Deployment + policy: disallow-host-ports + resources: + - gooddeployment10 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob01 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob02 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob03 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob04 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob05 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob06 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob07 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob08 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob09 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - badcronjob10 + result: fail + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob01 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob02 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob03 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob04 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob05 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob06 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob07 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob08 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob09 + result: pass + rule: host-ports-none +- kind: CronJob + policy: disallow-host-ports + resources: + - goodcronjob10 + result: pass + rule: host-ports-none diff --git a/pod-security/baseline/disallow-host-process/kyverno-test.yaml b/pod-security/baseline/disallow-host-process/kyverno-test.yaml index 2e842735a..61ac71374 100644 --- a/pod-security/baseline/disallow-host-process/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-process/kyverno-test.yaml @@ -1,177 +1,204 @@ name: disallow-host-process policies: - - disallow-host-process.yaml +- disallow-host-process.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: disallow-host-process - rule: host-process-containers - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: badpod05 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-host-process - rule: host-process-containers - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodpod05 - kind: Pod - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodpod06 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-host-process - rule: host-process-containers - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: baddeployment05 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-host-process - rule: host-process-containers - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: gooddeployment06 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-host-process - rule: host-process-containers - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-host-process - rule: host-process-containers - resource: badcronjob05 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-host-process - rule: host-process-containers - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-host-process - rule: host-process-containers - resource: goodcronjob06 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-host-process + resources: + - badpod01 + result: fail + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - badpod02 + result: fail + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - badpod03 + result: fail + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - badpod04 + result: fail + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - badpod05 + result: fail + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - goodpod01 + result: pass + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - goodpod02 + result: pass + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - goodpod03 + result: pass + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - goodpod04 + result: pass + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - goodpod05 + result: pass + rule: host-process-containers +- kind: Pod + policy: disallow-host-process + resources: + - goodpod06 + result: pass + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - baddeployment01 + result: fail + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - baddeployment02 + result: fail + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - baddeployment03 + result: fail + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - baddeployment04 + result: fail + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - baddeployment05 + result: fail + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - gooddeployment01 + result: pass + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - gooddeployment02 + result: pass + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - gooddeployment03 + result: pass + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - gooddeployment04 + result: pass + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - gooddeployment05 + result: pass + rule: host-process-containers +- kind: Deployment + policy: disallow-host-process + resources: + - gooddeployment06 + result: pass + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - badcronjob01 + result: fail + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - badcronjob02 + result: fail + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - badcronjob03 + result: fail + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - badcronjob04 + result: fail + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - badcronjob05 + result: fail + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - goodcronjob01 + result: pass + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - goodcronjob02 + result: pass + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - goodcronjob03 + result: pass + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - goodcronjob04 + result: pass + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - goodcronjob05 + result: pass + rule: host-process-containers +- kind: CronJob + policy: disallow-host-process + resources: + - goodcronjob06 + result: pass + rule: host-process-containers diff --git a/pod-security/baseline/disallow-privileged-containers/kyverno-test.yaml b/pod-security/baseline/disallow-privileged-containers/kyverno-test.yaml index 71692d949..129f66c71 100644 --- a/pod-security/baseline/disallow-privileged-containers/kyverno-test.yaml +++ b/pod-security/baseline/disallow-privileged-containers/kyverno-test.yaml @@ -1,177 +1,204 @@ name: disallow-privileged-containers policies: - - disallow-privileged-containers.yaml +- disallow-privileged-containers.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badpod05 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodpod05 - kind: Pod - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodpod06 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-privileged-containers - rule: privileged-containers - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: baddeployment05 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-privileged-containers - rule: privileged-containers - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: gooddeployment06 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-privileged-containers - rule: privileged-containers - resource: badcronjob05 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-privileged-containers - rule: privileged-containers - resource: goodcronjob06 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-privileged-containers + resources: + - badpod01 + result: fail + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - badpod02 + result: fail + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - badpod03 + result: fail + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - badpod04 + result: fail + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - badpod05 + result: fail + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - goodpod01 + result: pass + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - goodpod02 + result: pass + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - goodpod03 + result: pass + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - goodpod04 + result: pass + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - goodpod05 + result: pass + rule: privileged-containers +- kind: Pod + policy: disallow-privileged-containers + resources: + - goodpod06 + result: pass + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - baddeployment01 + result: fail + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - baddeployment02 + result: fail + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - baddeployment03 + result: fail + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - baddeployment04 + result: fail + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - baddeployment05 + result: fail + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - gooddeployment01 + result: pass + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - gooddeployment02 + result: pass + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - gooddeployment03 + result: pass + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - gooddeployment04 + result: pass + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - gooddeployment05 + result: pass + rule: privileged-containers +- kind: Deployment + policy: disallow-privileged-containers + resources: + - gooddeployment06 + result: pass + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - badcronjob01 + result: fail + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - badcronjob02 + result: fail + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - badcronjob03 + result: fail + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - badcronjob04 + result: fail + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - badcronjob05 + result: fail + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - goodcronjob01 + result: pass + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - goodcronjob02 + result: pass + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - goodcronjob03 + result: pass + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - goodcronjob04 + result: pass + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - goodcronjob05 + result: pass + rule: privileged-containers +- kind: CronJob + policy: disallow-privileged-containers + resources: + - goodcronjob06 + result: pass + rule: privileged-containers diff --git a/pod-security/baseline/disallow-proc-mount/kyverno-test.yaml b/pod-security/baseline/disallow-proc-mount/kyverno-test.yaml index a2a2bbe72..26e4d5ec0 100644 --- a/pod-security/baseline/disallow-proc-mount/kyverno-test.yaml +++ b/pod-security/baseline/disallow-proc-mount/kyverno-test.yaml @@ -1,177 +1,204 @@ name: disallow-proc-mount policies: - - disallow-proc-mount.yaml +- disallow-proc-mount.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badpod05 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodpod05 - kind: Pod - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodpod06 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-proc-mount - rule: check-proc-mount - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: baddeployment05 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-proc-mount - rule: check-proc-mount - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: gooddeployment06 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-proc-mount - rule: check-proc-mount - resource: badcronjob05 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-proc-mount - rule: check-proc-mount - resource: goodcronjob06 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-proc-mount + resources: + - badpod01 + result: fail + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - badpod02 + result: fail + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - badpod03 + result: fail + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - badpod04 + result: fail + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - badpod05 + result: fail + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - goodpod01 + result: pass + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - goodpod02 + result: pass + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - goodpod03 + result: pass + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - goodpod04 + result: pass + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - goodpod05 + result: pass + rule: check-proc-mount +- kind: Pod + policy: disallow-proc-mount + resources: + - goodpod06 + result: pass + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - baddeployment01 + result: fail + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - baddeployment02 + result: fail + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - baddeployment03 + result: fail + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - baddeployment04 + result: fail + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - baddeployment05 + result: fail + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - gooddeployment01 + result: pass + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - gooddeployment02 + result: pass + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - gooddeployment03 + result: pass + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - gooddeployment04 + result: pass + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - gooddeployment05 + result: pass + rule: check-proc-mount +- kind: Deployment + policy: disallow-proc-mount + resources: + - gooddeployment06 + result: pass + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - badcronjob01 + result: fail + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - badcronjob02 + result: fail + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - badcronjob03 + result: fail + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - badcronjob04 + result: fail + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - badcronjob05 + result: fail + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - goodcronjob01 + result: pass + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - goodcronjob02 + result: pass + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - goodcronjob03 + result: pass + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - goodcronjob04 + result: pass + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - goodcronjob05 + result: pass + rule: check-proc-mount +- kind: CronJob + policy: disallow-proc-mount + resources: + - goodcronjob06 + result: pass + rule: check-proc-mount diff --git a/pod-security/baseline/disallow-selinux/kyverno-test.yaml b/pod-security/baseline/disallow-selinux/kyverno-test.yaml index 9e10bc803..05bb38dc0 100644 --- a/pod-security/baseline/disallow-selinux/kyverno-test.yaml +++ b/pod-security/baseline/disallow-selinux/kyverno-test.yaml @@ -1,759 +1,888 @@ name: disallow-selinux policies: - - disallow-selinux.yaml +- disallow-selinux.yaml resources: - - resource.yaml +- resource.yaml results: -######################## -## Rule: selinux-type ## -######################## -###### Pods - Bad - - policy: disallow-selinux - rule: selinux-type - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badpod05 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badpod06 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badpod07 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-selinux - rule: selinux-type - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod05 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod06 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod07 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod08 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod09 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod10 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod11 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod12 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod13 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodpod14 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-selinux - rule: selinux-type - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: baddeployment05 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: baddeployment06 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: baddeployment07 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment09 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment10 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment11 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment12 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment13 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: gooddeployment14 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-selinux - rule: selinux-type - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badcronjob05 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badcronjob06 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-type - resource: badcronjob07 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob09 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob10 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob11 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob12 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob13 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-type - resource: goodcronjob14 - kind: CronJob - result: pass -############################# -## Rule: selinux-user-role ## -############################# -###### Pods - Bad - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod01 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod02 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod03 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod04 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod05 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod06 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod07 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod08 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod09 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod10 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod11 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod12 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod13 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod14 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod15 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod16 - kind: Pod - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badpod17 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod01 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod02 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod03 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod04 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod05 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod06 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod07 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod08 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod09 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod10 - kind: Pod - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodpod11 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment01 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment02 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment03 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment04 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment05 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment06 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment07 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment08 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment09 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment10 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment11 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment12 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment13 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment14 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment15 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment16 - kind: Deployment - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-baddeployment17 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment06 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment07 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment08 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment09 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment10 - kind: Deployment - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-gooddeployment11 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob01 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob02 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob03 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob04 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob05 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob06 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob07 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob08 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob09 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob10 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob11 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob12 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob13 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob14 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob15 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob16 - kind: CronJob - result: fail - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-badcronjob17 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob06 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob07 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob08 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob09 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob10 - kind: CronJob - result: pass - - policy: disallow-selinux - rule: selinux-user-role - resource: selur-goodcronjob11 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-selinux + resources: + - badpod01 + result: fail + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - badpod02 + result: fail + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - badpod03 + result: fail + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - badpod04 + result: fail + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - badpod05 + result: fail + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - badpod06 + result: fail + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - badpod07 + result: fail + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod01 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod02 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod03 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod04 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod05 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod06 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod07 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod08 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod09 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod10 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod11 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod12 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod13 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - goodpod14 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - baddeployment01 + result: fail + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - baddeployment02 + result: fail + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - baddeployment03 + result: fail + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - baddeployment04 + result: fail + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - baddeployment05 + result: fail + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - baddeployment06 + result: fail + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - baddeployment07 + result: fail + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment01 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment02 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment03 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment04 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment05 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment06 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment07 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment08 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment09 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment10 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment11 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment12 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment13 + result: pass + rule: selinux-type +- kind: Deployment + policy: disallow-selinux + resources: + - gooddeployment14 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - badcronjob01 + result: fail + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - badcronjob02 + result: fail + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - badcronjob03 + result: fail + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - badcronjob04 + result: fail + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - badcronjob05 + result: fail + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - badcronjob06 + result: fail + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - badcronjob07 + result: fail + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob01 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob02 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob03 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob04 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob05 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob06 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob07 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob08 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob09 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob10 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob11 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob12 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob13 + result: pass + rule: selinux-type +- kind: CronJob + policy: disallow-selinux + resources: + - goodcronjob14 + result: pass + rule: selinux-type +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod01 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod02 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod03 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod04 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod05 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod06 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod07 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod08 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod09 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod10 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod11 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod12 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod13 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod14 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod15 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod16 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-badpod17 + result: fail + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod01 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod02 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod03 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod04 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod05 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod06 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod07 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod08 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod09 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod10 + result: pass + rule: selinux-user-role +- kind: Pod + policy: disallow-selinux + resources: + - selur-goodpod11 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment01 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment02 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment03 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment04 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment05 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment06 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment07 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment08 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment09 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment10 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment11 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment12 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment13 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment14 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment15 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment16 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-baddeployment17 + result: fail + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment01 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment02 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment03 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment04 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment05 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment06 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment07 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment08 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment09 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment10 + result: pass + rule: selinux-user-role +- kind: Deployment + policy: disallow-selinux + resources: + - selur-gooddeployment11 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob01 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob02 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob03 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob04 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob05 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob06 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob07 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob08 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob09 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob10 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob11 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob12 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob13 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob14 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob15 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob16 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-badcronjob17 + result: fail + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob01 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob02 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob03 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob04 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob05 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob06 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob07 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob08 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob09 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob10 + result: pass + rule: selinux-user-role +- kind: CronJob + policy: disallow-selinux + resources: + - selur-goodcronjob11 + result: pass + rule: selinux-user-role diff --git a/pod-security/baseline/restrict-apparmor-profiles/kyverno-test.yaml b/pod-security/baseline/restrict-apparmor-profiles/kyverno-test.yaml index a7233a9d6..f964a7625 100644 --- a/pod-security/baseline/restrict-apparmor-profiles/kyverno-test.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/kyverno-test.yaml @@ -1,72 +1,78 @@ name: restrict-apparmor-profiles policies: - - restrict-apparmor-profiles.yaml +- restrict-apparmor-profiles.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: restrict-apparmor-profiles - rule: app-armor - resource: badpod01 - kind: Pod - result: fail -###### Pods - Good - - policy: restrict-apparmor-profiles - rule: app-armor - resource: goodpod01 - kind: Pod - result: pass - - policy: restrict-apparmor-profiles - rule: app-armor - resource: goodpod02 - kind: Pod - result: pass - - policy: restrict-apparmor-profiles - rule: app-armor - resource: goodpod03 - kind: Pod - result: pass -###### Deployments - Bad - - policy: restrict-apparmor-profiles - rule: app-armor - resource: baddeployment01 - kind: Deployment - result: fail -###### Deployments - Good - - policy: restrict-apparmor-profiles - rule: app-armor - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: restrict-apparmor-profiles - rule: app-armor - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: restrict-apparmor-profiles - rule: app-armor - resource: gooddeployment03 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: restrict-apparmor-profiles - rule: app-armor - resource: badcronjob01 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: restrict-apparmor-profiles - rule: app-armor - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: restrict-apparmor-profiles - rule: app-armor - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: restrict-apparmor-profiles - rule: app-armor - resource: goodcronjob03 - kind: CronJob - result: pass +- kind: Pod + policy: restrict-apparmor-profiles + resources: + - badpod01 + result: fail + rule: app-armor +- kind: Pod + policy: restrict-apparmor-profiles + resources: + - goodpod01 + result: pass + rule: app-armor +- kind: Pod + policy: restrict-apparmor-profiles + resources: + - goodpod02 + result: pass + rule: app-armor +- kind: Pod + policy: restrict-apparmor-profiles + resources: + - goodpod03 + result: pass + rule: app-armor +- kind: Deployment + policy: restrict-apparmor-profiles + resources: + - baddeployment01 + result: fail + rule: app-armor +- kind: Deployment + policy: restrict-apparmor-profiles + resources: + - gooddeployment01 + result: pass + rule: app-armor +- kind: Deployment + policy: restrict-apparmor-profiles + resources: + - gooddeployment02 + result: pass + rule: app-armor +- kind: Deployment + policy: restrict-apparmor-profiles + resources: + - gooddeployment03 + result: pass + rule: app-armor +- kind: CronJob + policy: restrict-apparmor-profiles + resources: + - badcronjob01 + result: fail + rule: app-armor +- kind: CronJob + policy: restrict-apparmor-profiles + resources: + - goodcronjob01 + result: pass + rule: app-armor +- kind: CronJob + policy: restrict-apparmor-profiles + resources: + - goodcronjob02 + result: pass + rule: app-armor +- kind: CronJob + policy: restrict-apparmor-profiles + resources: + - goodcronjob03 + result: pass + rule: app-armor diff --git a/pod-security/baseline/restrict-seccomp/kyverno-test.yaml b/pod-security/baseline/restrict-seccomp/kyverno-test.yaml index 859853a93..f5b817eb5 100644 --- a/pod-security/baseline/restrict-seccomp/kyverno-test.yaml +++ b/pod-security/baseline/restrict-seccomp/kyverno-test.yaml @@ -1,282 +1,330 @@ name: restrict-seccomp policies: - - restrict-seccomp.yaml +- restrict-seccomp.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: restrict-seccomp - rule: check-seccomp - resource: badpod01 - kind: Pod - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badpod02 - kind: Pod - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badpod03 - kind: Pod - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badpod04 - kind: Pod - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badpod05 - kind: Pod - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badpod06 - kind: Pod - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badpod07 - kind: Pod - result: fail -###### Pods - Good - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod01 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod02 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod03 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod04 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod05 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod06 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod07 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod08 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod09 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod10 - kind: Pod - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodpod11 - kind: Pod - result: pass -###### Deployments - Bad - - policy: restrict-seccomp - rule: check-seccomp - resource: baddeployment01 - kind: Deployment - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: baddeployment02 - kind: Deployment - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: baddeployment03 - kind: Deployment - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: baddeployment04 - kind: Deployment - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: baddeployment05 - kind: Deployment - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: baddeployment06 - kind: Deployment - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: baddeployment07 - kind: Deployment - result: fail -###### Deployments - Good - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment09 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment10 - kind: Deployment - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: gooddeployment11 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: restrict-seccomp - rule: check-seccomp - resource: badcronjob01 - kind: CronJob - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badcronjob02 - kind: CronJob - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badcronjob03 - kind: CronJob - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badcronjob04 - kind: CronJob - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badcronjob05 - kind: CronJob - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badcronjob06 - kind: CronJob - result: fail - - policy: restrict-seccomp - rule: check-seccomp - resource: badcronjob07 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob09 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob10 - kind: CronJob - result: pass - - policy: restrict-seccomp - rule: check-seccomp - resource: goodcronjob11 - kind: CronJob - result: pass +- kind: Pod + policy: restrict-seccomp + resources: + - badpod01 + result: fail + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - badpod02 + result: fail + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - badpod03 + result: fail + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - badpod04 + result: fail + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - badpod05 + result: fail + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - badpod06 + result: fail + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - badpod07 + result: fail + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod01 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod02 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod03 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod04 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod05 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod06 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod07 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod08 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod09 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod10 + result: pass + rule: check-seccomp +- kind: Pod + policy: restrict-seccomp + resources: + - goodpod11 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - baddeployment01 + result: fail + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - baddeployment02 + result: fail + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - baddeployment03 + result: fail + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - baddeployment04 + result: fail + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - baddeployment05 + result: fail + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - baddeployment06 + result: fail + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - baddeployment07 + result: fail + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment01 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment02 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment03 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment04 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment05 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment06 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment07 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment08 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment09 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment10 + result: pass + rule: check-seccomp +- kind: Deployment + policy: restrict-seccomp + resources: + - gooddeployment11 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - badcronjob01 + result: fail + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - badcronjob02 + result: fail + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - badcronjob03 + result: fail + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - badcronjob04 + result: fail + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - badcronjob05 + result: fail + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - badcronjob06 + result: fail + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - badcronjob07 + result: fail + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob01 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob02 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob03 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob04 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob05 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob06 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob07 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob08 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob09 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob10 + result: pass + rule: check-seccomp +- kind: CronJob + policy: restrict-seccomp + resources: + - goodcronjob11 + result: pass + rule: check-seccomp diff --git a/pod-security/baseline/restrict-sysctls/kyverno-test.yaml b/pod-security/baseline/restrict-sysctls/kyverno-test.yaml index 5465c63ea..8c09ee32e 100644 --- a/pod-security/baseline/restrict-sysctls/kyverno-test.yaml +++ b/pod-security/baseline/restrict-sysctls/kyverno-test.yaml @@ -1,147 +1,168 @@ name: restrict-sysctls policies: - - restrict-sysctls.yaml +- restrict-sysctls.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: restrict-sysctls - rule: check-sysctls - resource: badpod01 - kind: Pod - result: fail - - policy: restrict-sysctls - rule: check-sysctls - resource: badpod02 - kind: Pod - result: fail -###### Pods - Good - - policy: restrict-sysctls - rule: check-sysctls - resource: goodpod01 - kind: Pod - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodpod02 - kind: Pod - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodpod03 - kind: Pod - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodpod04 - kind: Pod - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodpod05 - kind: Pod - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodpod06 - kind: Pod - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodpod07 - kind: Pod - result: pass -###### Deployments - Bad - - policy: restrict-sysctls - rule: check-sysctls - resource: baddeployment01 - kind: Deployment - result: fail - - policy: restrict-sysctls - rule: check-sysctls - resource: baddeployment02 - kind: Deployment - result: fail -###### Deployments - Good - - policy: restrict-sysctls - rule: check-sysctls - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: gooddeployment07 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: restrict-sysctls - rule: check-sysctls - resource: badcronjob01 - kind: CronJob - result: fail - - policy: restrict-sysctls - rule: check-sysctls - resource: badcronjob02 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: restrict-sysctls - rule: check-sysctls - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: restrict-sysctls - rule: check-sysctls - resource: goodcronjob07 - kind: CronJob - result: pass +- kind: Pod + policy: restrict-sysctls + resources: + - badpod01 + result: fail + rule: check-sysctls +- kind: Pod + policy: restrict-sysctls + resources: + - badpod02 + result: fail + rule: check-sysctls +- kind: Pod + policy: restrict-sysctls + resources: + - goodpod01 + result: pass + rule: check-sysctls +- kind: Pod + policy: restrict-sysctls + resources: + - goodpod02 + result: pass + rule: check-sysctls +- kind: Pod + policy: restrict-sysctls + resources: + - goodpod03 + result: pass + rule: check-sysctls +- kind: Pod + policy: restrict-sysctls + resources: + - goodpod04 + result: pass + rule: check-sysctls +- kind: Pod + policy: restrict-sysctls + resources: + - goodpod05 + result: pass + rule: check-sysctls +- kind: Pod + policy: restrict-sysctls + resources: + - goodpod06 + result: pass + rule: check-sysctls +- kind: Pod + policy: restrict-sysctls + resources: + - goodpod07 + result: pass + rule: check-sysctls +- kind: Deployment + policy: restrict-sysctls + resources: + - baddeployment01 + result: fail + rule: check-sysctls +- kind: Deployment + policy: restrict-sysctls + resources: + - baddeployment02 + result: fail + rule: check-sysctls +- kind: Deployment + policy: restrict-sysctls + resources: + - gooddeployment01 + result: pass + rule: check-sysctls +- kind: Deployment + policy: restrict-sysctls + resources: + - gooddeployment02 + result: pass + rule: check-sysctls +- kind: Deployment + policy: restrict-sysctls + resources: + - gooddeployment03 + result: pass + rule: check-sysctls +- kind: Deployment + policy: restrict-sysctls + resources: + - gooddeployment04 + result: pass + rule: check-sysctls +- kind: Deployment + policy: restrict-sysctls + resources: + - gooddeployment05 + result: pass + rule: check-sysctls +- kind: Deployment + policy: restrict-sysctls + resources: + - gooddeployment06 + result: pass + rule: check-sysctls +- kind: Deployment + policy: restrict-sysctls + resources: + - gooddeployment07 + result: pass + rule: check-sysctls +- kind: CronJob + policy: restrict-sysctls + resources: + - badcronjob01 + result: fail + rule: check-sysctls +- kind: CronJob + policy: restrict-sysctls + resources: + - badcronjob02 + result: fail + rule: check-sysctls +- kind: CronJob + policy: restrict-sysctls + resources: + - goodcronjob01 + result: pass + rule: check-sysctls +- kind: CronJob + policy: restrict-sysctls + resources: + - goodcronjob02 + result: pass + rule: check-sysctls +- kind: CronJob + policy: restrict-sysctls + resources: + - goodcronjob03 + result: pass + rule: check-sysctls +- kind: CronJob + policy: restrict-sysctls + resources: + - goodcronjob04 + result: pass + rule: check-sysctls +- kind: CronJob + policy: restrict-sysctls + resources: + - goodcronjob05 + result: pass + rule: check-sysctls +- kind: CronJob + policy: restrict-sysctls + resources: + - goodcronjob06 + result: pass + rule: check-sysctls +- kind: CronJob + policy: restrict-sysctls + resources: + - goodcronjob07 + result: pass + rule: check-sysctls diff --git a/pod-security/restricted/disallow-capabilities-strict/kyverno-test.yaml b/pod-security/restricted/disallow-capabilities-strict/kyverno-test.yaml index 1bb8c2e79..9a1d6fbd3 100644 --- a/pod-security/restricted/disallow-capabilities-strict/kyverno-test.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/kyverno-test.yaml @@ -1,564 +1,654 @@ name: disallow-capabilities-strict policies: - - disallow-capabilities-strict.yaml +- disallow-capabilities-strict.yaml resources: - - resource.yaml +- resource.yaml results: -############################ -## Rule: require-drop-all ## -############################ -###### Pods - Bad - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod05 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod06 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod07 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod08 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod09 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badpod10 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodpod05 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodpod06 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment05 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment06 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment07 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment08 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment09 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: baddeployment10 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: gooddeployment06 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob05 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob06 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob07 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob08 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob09 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: badcronjob10 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: require-drop-all - resource: goodcronjob06 - kind: CronJob - result: pass -###################################### -## Rule: adding-capabilities-strict ## -###################################### -###### Pods - Bad - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod01 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod02 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod03 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod04 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod05 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod06 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod07 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod08 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod09 - kind: Pod - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badpod10 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod01 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod02 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod03 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod04 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod05 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod06 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod07 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod08 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod09 - kind: Pod - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodpod10 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment01 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment02 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment03 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment04 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment05 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment06 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment07 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment08 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment09 - kind: Deployment - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-baddeployment10 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment05 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment06 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment07 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment08 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment09 - kind: Deployment - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-gooddeployment10 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob01 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob02 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob03 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob04 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob05 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob06 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob07 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob08 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob09 - kind: CronJob - result: fail - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-badcronjob10 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob05 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob06 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob07 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob08 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob09 - kind: CronJob - result: pass - - policy: disallow-capabilities-strict - rule: adding-capabilities-strict - resource: addcap-goodcronjob10 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod01 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod02 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod03 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod04 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod05 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod06 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod07 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod08 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod09 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - badpod10 + result: fail + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - goodpod01 + result: pass + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - goodpod02 + result: pass + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - goodpod03 + result: pass + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - goodpod04 + result: pass + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - goodpod05 + result: pass + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - goodpod06 + result: pass + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment01 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment02 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment03 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment04 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment05 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment06 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment07 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment08 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment09 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - baddeployment10 + result: fail + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - gooddeployment01 + result: pass + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - gooddeployment02 + result: pass + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - gooddeployment03 + result: pass + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - gooddeployment04 + result: pass + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - gooddeployment05 + result: pass + rule: require-drop-all +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - gooddeployment06 + result: pass + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob01 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob02 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob03 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob04 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob05 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob06 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob07 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob08 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob09 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - badcronjob10 + result: fail + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - goodcronjob01 + result: pass + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - goodcronjob02 + result: pass + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - goodcronjob03 + result: pass + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - goodcronjob04 + result: pass + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - goodcronjob05 + result: pass + rule: require-drop-all +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - goodcronjob06 + result: pass + rule: require-drop-all +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod01 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod02 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod03 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod04 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod05 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod06 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod07 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod08 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod09 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-badpod10 + result: fail + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod01 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod02 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod03 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod04 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod05 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod06 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod07 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod08 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod09 + result: pass + rule: adding-capabilities-strict +- kind: Pod + policy: disallow-capabilities-strict + resources: + - addcap-goodpod10 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment01 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment02 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment03 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment04 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment05 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment06 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment07 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment08 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment09 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-baddeployment10 + result: fail + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment01 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment02 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment03 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment04 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment05 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment06 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment07 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment08 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment09 + result: pass + rule: adding-capabilities-strict +- kind: Deployment + policy: disallow-capabilities-strict + resources: + - addcap-gooddeployment10 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob01 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob02 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob03 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob04 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob05 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob06 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob07 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob08 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob09 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-badcronjob10 + result: fail + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob01 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob02 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob03 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob04 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob05 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob06 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob07 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob08 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob09 + result: pass + rule: adding-capabilities-strict +- kind: CronJob + policy: disallow-capabilities-strict + resources: + - addcap-goodcronjob10 + result: pass + rule: adding-capabilities-strict diff --git a/pod-security/restricted/disallow-privilege-escalation/kyverno-test.yaml b/pod-security/restricted/disallow-privilege-escalation/kyverno-test.yaml index 1575a046e..5b5381d05 100644 --- a/pod-security/restricted/disallow-privilege-escalation/kyverno-test.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/kyverno-test.yaml @@ -1,177 +1,204 @@ name: disallow-privilege-escalation policies: - - disallow-privilege-escalation.yaml +- disallow-privilege-escalation.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badpod01 - kind: Pod - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badpod02 - kind: Pod - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badpod03 - kind: Pod - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badpod04 - kind: Pod - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badpod05 - kind: Pod - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badpod06 - kind: Pod - result: fail -###### Pods - Good - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodpod01 - kind: Pod - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodpod02 - kind: Pod - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodpod03 - kind: Pod - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodpod04 - kind: Pod - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodpod05 - kind: Pod - result: pass -###### Deployments - Bad - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: baddeployment01 - kind: Deployment - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: baddeployment02 - kind: Deployment - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: baddeployment03 - kind: Deployment - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: baddeployment04 - kind: Deployment - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: baddeployment05 - kind: Deployment - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: baddeployment06 - kind: Deployment - result: fail -###### Deployments - Good - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: gooddeployment05 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badcronjob01 - kind: CronJob - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badcronjob02 - kind: CronJob - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badcronjob03 - kind: CronJob - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badcronjob04 - kind: CronJob - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badcronjob05 - kind: CronJob - result: fail - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: badcronjob06 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: disallow-privilege-escalation - rule: privilege-escalation - resource: goodcronjob05 - kind: CronJob - result: pass +- kind: Pod + policy: disallow-privilege-escalation + resources: + - badpod01 + result: fail + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - badpod02 + result: fail + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - badpod03 + result: fail + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - badpod04 + result: fail + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - badpod05 + result: fail + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - badpod06 + result: fail + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - goodpod01 + result: pass + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - goodpod02 + result: pass + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - goodpod03 + result: pass + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - goodpod04 + result: pass + rule: privilege-escalation +- kind: Pod + policy: disallow-privilege-escalation + resources: + - goodpod05 + result: pass + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - baddeployment01 + result: fail + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - baddeployment02 + result: fail + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - baddeployment03 + result: fail + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - baddeployment04 + result: fail + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - baddeployment05 + result: fail + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - baddeployment06 + result: fail + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - gooddeployment01 + result: pass + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - gooddeployment02 + result: pass + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - gooddeployment03 + result: pass + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - gooddeployment04 + result: pass + rule: privilege-escalation +- kind: Deployment + policy: disallow-privilege-escalation + resources: + - gooddeployment05 + result: pass + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - badcronjob01 + result: fail + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - badcronjob02 + result: fail + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - badcronjob03 + result: fail + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - badcronjob04 + result: fail + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - badcronjob05 + result: fail + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - badcronjob06 + result: fail + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - goodcronjob01 + result: pass + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - goodcronjob02 + result: pass + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - goodcronjob03 + result: pass + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - goodcronjob04 + result: pass + rule: privilege-escalation +- kind: CronJob + policy: disallow-privilege-escalation + resources: + - goodcronjob05 + result: pass + rule: privilege-escalation diff --git a/pod-security/restricted/require-run-as-non-root-user/kyverno-test.yaml b/pod-security/restricted/require-run-as-non-root-user/kyverno-test.yaml index 245010d1f..f26b4fb30 100644 --- a/pod-security/restricted/require-run-as-non-root-user/kyverno-test.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/kyverno-test.yaml @@ -1,252 +1,294 @@ name: require-run-as-non-root-user policies: - - require-run-as-non-root-user.yaml +- require-run-as-non-root-user.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badpod01 - kind: Pod - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badpod02 - kind: Pod - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badpod03 - kind: Pod - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badpod04 - kind: Pod - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badpod05 - kind: Pod - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badpod06 - kind: Pod - result: fail -###### Pods - Good - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod01 - kind: Pod - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod02 - kind: Pod - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod03 - kind: Pod - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod04 - kind: Pod - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod05 - kind: Pod - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod06 - kind: Pod - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod07 - kind: Pod - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod08 - kind: Pod - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod09 - kind: Pod - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodpod10 - kind: Pod - result: pass -###### Deployments - Bad - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: baddeployment01 - kind: Deployment - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: baddeployment02 - kind: Deployment - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: baddeployment03 - kind: Deployment - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: baddeployment04 - kind: Deployment - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: baddeployment05 - kind: Deployment - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: baddeployment06 - kind: Deployment - result: fail -###### Deployments - Good - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment09 - kind: Deployment - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: gooddeployment10 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badcronjob01 - kind: CronJob - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badcronjob02 - kind: CronJob - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badcronjob03 - kind: CronJob - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badcronjob04 - kind: CronJob - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badcronjob05 - kind: CronJob - result: fail - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: badcronjob06 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob09 - kind: CronJob - result: pass - - policy: require-run-as-non-root-user - rule: run-as-non-root-user - resource: goodcronjob10 - kind: CronJob - result: pass +- kind: Pod + policy: require-run-as-non-root-user + resources: + - badpod01 + result: fail + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - badpod02 + result: fail + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - badpod03 + result: fail + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - badpod04 + result: fail + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - badpod05 + result: fail + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - badpod06 + result: fail + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod01 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod02 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod03 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod04 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod05 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod06 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod07 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod08 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod09 + result: pass + rule: run-as-non-root-user +- kind: Pod + policy: require-run-as-non-root-user + resources: + - goodpod10 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - baddeployment01 + result: fail + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - baddeployment02 + result: fail + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - baddeployment03 + result: fail + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - baddeployment04 + result: fail + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - baddeployment05 + result: fail + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - baddeployment06 + result: fail + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment01 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment02 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment03 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment04 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment05 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment06 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment07 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment08 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment09 + result: pass + rule: run-as-non-root-user +- kind: Deployment + policy: require-run-as-non-root-user + resources: + - gooddeployment10 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - badcronjob01 + result: fail + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - badcronjob02 + result: fail + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - badcronjob03 + result: fail + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - badcronjob04 + result: fail + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - badcronjob05 + result: fail + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - badcronjob06 + result: fail + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob01 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob02 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob03 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob04 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob05 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob06 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob07 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob08 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob09 + result: pass + rule: run-as-non-root-user +- kind: CronJob + policy: require-run-as-non-root-user + resources: + - goodcronjob10 + result: pass + rule: run-as-non-root-user diff --git a/pod-security/restricted/require-run-as-nonroot/kyverno-test.yaml b/pod-security/restricted/require-run-as-nonroot/kyverno-test.yaml index 13fea0576..d89f23578 100644 --- a/pod-security/restricted/require-run-as-nonroot/kyverno-test.yaml +++ b/pod-security/restricted/require-run-as-nonroot/kyverno-test.yaml @@ -1,387 +1,456 @@ name: require-run-as-nonroot policies: - - require-run-as-nonroot.yaml +- require-run-as-nonroot.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod01 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod02 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod03 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod04 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod05 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod06 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod07 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod08 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod09 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod10 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod11 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod12 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod13 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod14 - kind: Pod - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badpod15 - kind: Pod - result: fail -###### Pods - Good - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod01 - kind: Pod - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod02 - kind: Pod - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod03 - kind: Pod - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod04 - kind: Pod - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod05 - kind: Pod - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod06 - kind: Pod - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod07 - kind: Pod - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod08 - kind: Pod - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod09 - kind: Pod - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodpod10 - kind: Pod - result: pass -###### Deployments - Bad - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment01 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment02 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment03 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment04 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment05 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment06 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment07 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment08 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment09 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment10 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment11 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment12 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment13 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment14 - kind: Deployment - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: baddeployment15 - kind: Deployment - result: fail -###### Deployments - Good - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment09 - kind: Deployment - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: gooddeployment10 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob01 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob02 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob03 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob04 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob05 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob06 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob07 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob08 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob09 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob10 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob11 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob12 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob13 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob14 - kind: CronJob - result: fail - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: badcronjob15 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob09 - kind: CronJob - result: pass - - policy: require-run-as-nonroot - rule: run-as-non-root - resource: goodcronjob10 - kind: CronJob - result: pass +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod01 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod02 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod03 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod04 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod05 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod06 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod07 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod08 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod09 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod10 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod11 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod12 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod13 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod14 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - badpod15 + result: fail + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod01 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod02 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod03 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod04 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod05 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod06 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod07 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod08 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod09 + result: pass + rule: run-as-non-root +- kind: Pod + policy: require-run-as-nonroot + resources: + - goodpod10 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment01 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment02 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment03 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment04 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment05 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment06 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment07 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment08 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment09 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment10 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment11 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment12 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment13 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment14 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - baddeployment15 + result: fail + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment01 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment02 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment03 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment04 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment05 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment06 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment07 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment08 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment09 + result: pass + rule: run-as-non-root +- kind: Deployment + policy: require-run-as-nonroot + resources: + - gooddeployment10 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob01 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob02 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob03 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob04 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob05 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob06 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob07 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob08 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob09 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob10 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob11 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob12 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob13 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob14 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - badcronjob15 + result: fail + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob01 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob02 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob03 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob04 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob05 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob06 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob07 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob08 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob09 + result: pass + rule: run-as-non-root +- kind: CronJob + policy: require-run-as-nonroot + resources: + - goodcronjob10 + result: pass + rule: run-as-non-root diff --git a/pod-security/restricted/restrict-seccomp-strict/kyverno-test.yaml b/pod-security/restricted/restrict-seccomp-strict/kyverno-test.yaml index ae56ddb36..835be5c19 100644 --- a/pod-security/restricted/restrict-seccomp-strict/kyverno-test.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/kyverno-test.yaml @@ -1,267 +1,312 @@ name: restrict-seccomp-strict policies: - - restrict-seccomp-strict.yaml +- restrict-seccomp-strict.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badpod01 - kind: Pod - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badpod02 - kind: Pod - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badpod03 - kind: Pod - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badpod04 - kind: Pod - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badpod05 - kind: Pod - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badpod06 - kind: Pod - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badpod07 - kind: Pod - result: fail -###### Pods - Good - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod01 - kind: Pod - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod02 - kind: Pod - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod03 - kind: Pod - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod04 - kind: Pod - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod05 - kind: Pod - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod06 - kind: Pod - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod07 - kind: Pod - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod08 - kind: Pod - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod09 - kind: Pod - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodpod10 - kind: Pod - result: pass -###### Deployments - Bad - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: baddeployment01 - kind: Deployment - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: baddeployment02 - kind: Deployment - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: baddeployment03 - kind: Deployment - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: baddeployment04 - kind: Deployment - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: baddeployment05 - kind: Deployment - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: baddeployment06 - kind: Deployment - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: baddeployment07 - kind: Deployment - result: fail -###### Deployments - Good - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment09 - kind: Deployment - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: gooddeployment10 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badcronjob01 - kind: CronJob - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badcronjob02 - kind: CronJob - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badcronjob03 - kind: CronJob - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badcronjob04 - kind: CronJob - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badcronjob05 - kind: CronJob - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badcronjob06 - kind: CronJob - result: fail - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: badcronjob07 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob09 - kind: CronJob - result: pass - - policy: restrict-seccomp-strict - rule: check-seccomp-strict - resource: goodcronjob10 - kind: CronJob - result: pass +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod01 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod02 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod03 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod04 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod05 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod06 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod07 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod01 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod02 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod03 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod04 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod05 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod06 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod07 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod08 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod09 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod10 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment01 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment02 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment03 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment04 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment05 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment06 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment07 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment01 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment02 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment03 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment04 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment05 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment06 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment07 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment08 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment09 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment10 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob01 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob02 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob03 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob04 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob05 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob06 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob07 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob01 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob02 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob03 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob04 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob05 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob06 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob07 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob08 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob09 + result: pass + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob10 + result: pass + rule: check-seccomp-strict diff --git a/pod-security/restricted/restrict-volume-types/kyverno-test.yaml b/pod-security/restricted/restrict-volume-types/kyverno-test.yaml index c6a304a9c..b59366590 100644 --- a/pod-security/restricted/restrict-volume-types/kyverno-test.yaml +++ b/pod-security/restricted/restrict-volume-types/kyverno-test.yaml @@ -1,447 +1,528 @@ name: restrict-volume-types policies: - - restrict-volume-types.yaml +- restrict-volume-types.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod01 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod02 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod03 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod04 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod05 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod06 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod07 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod08 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod09 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod10 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod11 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod12 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod13 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod14 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod15 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod16 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod17 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod18 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod19 - kind: Pod - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badpod20 - kind: Pod - result: fail -###### Pods - Good - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodpod01 - kind: Pod - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodpod02 - kind: Pod - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodpod03 - kind: Pod - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodpod04 - kind: Pod - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodpod05 - kind: Pod - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodpod06 - kind: Pod - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodpod07 - kind: Pod - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodpod08 - kind: Pod - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodpod09 - kind: Pod - result: pass -###### Deployments - Bad - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment01 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment02 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment03 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment04 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment05 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment06 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment07 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment08 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment09 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment10 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment11 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment12 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment13 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment14 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment15 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment16 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment17 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment18 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment19 - kind: Deployment - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: baddeployment20 - kind: Deployment - result: fail -###### Deployments - Good - - policy: restrict-volume-types - rule: restricted-volumes - resource: gooddeployment01 - kind: Deployment - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: gooddeployment02 - kind: Deployment - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: gooddeployment03 - kind: Deployment - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: gooddeployment04 - kind: Deployment - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: gooddeployment05 - kind: Deployment - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: gooddeployment06 - kind: Deployment - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: gooddeployment07 - kind: Deployment - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: gooddeployment08 - kind: Deployment - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: gooddeployment09 - kind: Deployment - result: pass -###### CronJobs - Bad - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob01 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob02 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob03 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob04 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob05 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob06 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob07 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob08 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob09 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob10 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob11 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob12 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob13 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob14 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob15 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob16 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob17 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob18 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob19 - kind: CronJob - result: fail - - policy: restrict-volume-types - rule: restricted-volumes - resource: badcronjob20 - kind: CronJob - result: fail -###### CronJobs - Good - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodcronjob01 - kind: CronJob - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodcronjob02 - kind: CronJob - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodcronjob03 - kind: CronJob - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodcronjob04 - kind: CronJob - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodcronjob05 - kind: CronJob - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodcronjob06 - kind: CronJob - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodcronjob07 - kind: CronJob - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodcronjob08 - kind: CronJob - result: pass - - policy: restrict-volume-types - rule: restricted-volumes - resource: goodcronjob09 - kind: CronJob - result: pass +- kind: Pod + policy: restrict-volume-types + resources: + - badpod01 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod02 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod03 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod04 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod05 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod06 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod07 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod08 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod09 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod10 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod11 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod12 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod13 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod14 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod15 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod16 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod17 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod18 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod19 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - badpod20 + result: fail + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod01 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod02 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod03 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod04 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod05 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod06 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod07 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod08 + result: pass + rule: restricted-volumes +- kind: Pod + policy: restrict-volume-types + resources: + - goodpod09 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment01 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment02 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment03 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment04 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment05 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment06 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment07 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment08 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment09 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment10 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment11 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment12 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment13 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment14 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment15 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment16 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment17 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment18 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment19 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - baddeployment20 + result: fail + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment01 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment02 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment03 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment04 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment05 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment06 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment07 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment08 + result: pass + rule: restricted-volumes +- kind: Deployment + policy: restrict-volume-types + resources: + - gooddeployment09 + result: pass + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob01 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob02 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob03 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob04 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob05 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob06 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob07 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob08 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob09 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob10 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob11 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob12 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob13 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob14 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob15 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob16 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob17 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob18 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob19 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - badcronjob20 + result: fail + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob01 + result: pass + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob02 + result: pass + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob03 + result: pass + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob04 + result: pass + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob05 + result: pass + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob06 + result: pass + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob07 + result: pass + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob08 + result: pass + rule: restricted-volumes +- kind: CronJob + policy: restrict-volume-types + resources: + - goodcronjob09 + result: pass + rule: restricted-volumes diff --git a/pod-security/subrule/podsecurity-subrule-baseline/kyverno-test.yaml b/pod-security/subrule/podsecurity-subrule-baseline/kyverno-test.yaml index 4d3696541..f25c70d42 100644 --- a/pod-security/subrule/podsecurity-subrule-baseline/kyverno-test.yaml +++ b/pod-security/subrule/podsecurity-subrule-baseline/kyverno-test.yaml @@ -1,16 +1,18 @@ name: podsecurity-subrule-baseline policies: - - podsecurity-subrule-baseline.yaml +- podsecurity-subrule-baseline.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: podsecurity-subrule-baseline - rule: baseline - resource: badpod01 - kind: Pod - result: fail - - policy: podsecurity-subrule-baseline - rule: baseline - resource: goodpod01 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: podsecurity-subrule-baseline + resources: + - badpod01 + result: fail + rule: baseline +- kind: Pod + policy: podsecurity-subrule-baseline + resources: + - goodpod01 + result: pass + rule: baseline diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/kyverno-test.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/kyverno-test.yaml index 083b04b11..a66f5a8c3 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/kyverno-test.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/kyverno-test.yaml @@ -1,16 +1,18 @@ name: podsecurity-subrule-restricted-capabilities policies: - - restricted-exclude-capabilities.yaml +- restricted-exclude-capabilities.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: podsecurity-subrule-restricted-capabilities - rule: restricted-exempt-capabilities - resource: badpod01 - kind: Pod - result: fail - - policy: podsecurity-subrule-restricted-capabilities - rule: restricted-exempt-capabilities - resource: goodpod01 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: podsecurity-subrule-restricted-capabilities + resources: + - badpod01 + result: fail + rule: restricted-exempt-capabilities +- kind: Pod + policy: podsecurity-subrule-restricted-capabilities + resources: + - goodpod01 + result: pass + rule: restricted-exempt-capabilities diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/kyverno-test.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/kyverno-test.yaml index 3c0278a56..2077b9220 100644 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/kyverno-test.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/kyverno-test.yaml @@ -1,16 +1,18 @@ name: podsecurity-subrule-restricted-seccomp policies: - - restricted-exclude-seccomp.yaml +- restricted-exclude-seccomp.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: podsecurity-subrule-restricted-seccomp - rule: restricted-exempt-seccomp - resource: badpod01 - kind: Pod - result: fail - - policy: podsecurity-subrule-restricted-seccomp - rule: restricted-exempt-seccomp - resource: goodpod01 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: podsecurity-subrule-restricted-seccomp + resources: + - badpod01 + result: fail + rule: restricted-exempt-seccomp +- kind: Pod + policy: podsecurity-subrule-restricted-seccomp + resources: + - goodpod01 + result: pass + rule: restricted-exempt-seccomp diff --git a/pod-security/subrule/restricted/restricted-latest/kyverno-test.yaml b/pod-security/subrule/restricted/restricted-latest/kyverno-test.yaml index 2f6df5325..00f3fb8ed 100644 --- a/pod-security/subrule/restricted/restricted-latest/kyverno-test.yaml +++ b/pod-security/subrule/restricted/restricted-latest/kyverno-test.yaml @@ -1,16 +1,18 @@ name: restricted-latest policies: - - restricted-latest.yaml +- restricted-latest.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: podsecurity-subrule-restricted - rule: restricted - resource: badpod01 - kind: Pod - result: fail - - policy: podsecurity-subrule-restricted - rule: restricted - resource: goodpod01 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: podsecurity-subrule-restricted + resources: + - badpod01 + result: fail + rule: restricted +- kind: Pod + policy: podsecurity-subrule-restricted + resources: + - goodpod01 + result: pass + rule: restricted diff --git a/psa/add-psa-labels/kyverno-test.yaml b/psa/add-psa-labels/kyverno-test.yaml index 489d055af..142afdd6c 100644 --- a/psa/add-psa-labels/kyverno-test.yaml +++ b/psa/add-psa-labels/kyverno-test.yaml @@ -1,19 +1,21 @@ name: add-psa-labels policies: - - add-psa-labels.yaml +- add-psa-labels.yaml resources: - - resource.yaml - - resourcefail.yaml +- resource.yaml +- resourcefail.yaml results: - - policy: add-psa-labels - rule: add-baseline-enforce-restricted-warn - resource: test - patchedResource: patchedResource.yaml - kind: Namespace - result: pass - - policy: add-psa-labels - rule: add-baseline-enforce-restricted-warn - resource: test-fail - patchedResource: patchedResourcefail.yaml - kind: Namespace - result: fail +- kind: Namespace + patchedResource: patchedResource.yaml + policy: add-psa-labels + resources: + - test + result: pass + rule: add-baseline-enforce-restricted-warn +- kind: Namespace + patchedResource: patchedResourcefail.yaml + policy: add-psa-labels + resources: + - test-fail + result: fail + rule: add-baseline-enforce-restricted-warn diff --git a/psp-migration/add-apparmor/kyverno-test.yaml b/psp-migration/add-apparmor/kyverno-test.yaml index 5fb356c72..eba865c97 100644 --- a/psp-migration/add-apparmor/kyverno-test.yaml +++ b/psp-migration/add-apparmor/kyverno-test.yaml @@ -1,18 +1,20 @@ name: add-apparmor-annotations policies: - - add-apparmor.yaml +- add-apparmor.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-apparmor-annotations - rule: apparmor-runtime-default - resource: pod01 - kind: Pod - patchedResource: patchedResource1.yaml - result: pass - - policy: add-apparmor-annotations - rule: apparmor-runtime-default - resource: pod02 - kind: Pod - patchedResource: patchedResource2.yaml - result: pass +- kind: Pod + patchedResource: patchedResource1.yaml + policy: add-apparmor-annotations + resources: + - pod01 + result: pass + rule: apparmor-runtime-default +- kind: Pod + patchedResource: patchedResource2.yaml + policy: add-apparmor-annotations + resources: + - pod02 + result: pass + rule: apparmor-runtime-default diff --git a/psp-migration/add-capabilities/kyverno-test.yaml b/psp-migration/add-capabilities/kyverno-test.yaml index e3231f7f2..826be4e87 100644 --- a/psp-migration/add-capabilities/kyverno-test.yaml +++ b/psp-migration/add-capabilities/kyverno-test.yaml @@ -1,18 +1,20 @@ name: add-capabilities policies: - - add-capabilities.yaml +- add-capabilities.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-capabilities - rule: add-setfcap-setuid - resource: pod01 - kind: Pod - patchedResource: patchedResource1.yaml - result: pass - - policy: add-capabilities - rule: add-setfcap-setuid - resource: pod02 - kind: Pod - patchedResource: patchedResource2.yaml - result: pass +- kind: Pod + patchedResource: patchedResource1.yaml + policy: add-capabilities + resources: + - pod01 + result: pass + rule: add-setfcap-setuid +- kind: Pod + patchedResource: patchedResource2.yaml + policy: add-capabilities + resources: + - pod02 + result: pass + rule: add-setfcap-setuid diff --git a/psp-migration/add-runtimeClassName/kyverno-test.yaml b/psp-migration/add-runtimeClassName/kyverno-test.yaml index 68790ffc1..261554c73 100644 --- a/psp-migration/add-runtimeClassName/kyverno-test.yaml +++ b/psp-migration/add-runtimeClassName/kyverno-test.yaml @@ -1,12 +1,13 @@ name: add-runtimeClassName policies: - - add-runtimeClassName.yaml +- add-runtimeClassName.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-runtimeclassname - rule: add-prodclass - resource: pod01 - kind: Pod - patchedResource: patchedResource1.yaml - result: pass \ No newline at end of file +- kind: Pod + patchedResource: patchedResource1.yaml + policy: add-runtimeclassname + resources: + - pod01 + result: pass + rule: add-prodclass diff --git a/psp-migration/check-supplemental-groups/kyverno-test.yaml b/psp-migration/check-supplemental-groups/kyverno-test.yaml index d483b0c48..bd81ce4da 100644 --- a/psp-migration/check-supplemental-groups/kyverno-test.yaml +++ b/psp-migration/check-supplemental-groups/kyverno-test.yaml @@ -1,16 +1,18 @@ name: psp-check-supplemental-groups policies: - - check-supplemental-groups.yaml +- check-supplemental-groups.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: psp-check-supplemental-groups - rule: supplementalgroup-ranges - resource: badpod01 - kind: Pod - result: fail - - policy: psp-check-supplemental-groups - rule: supplementalgroup-ranges - resource: goodpod01 - kind: Pod - result: pass +- kind: Pod + policy: psp-check-supplemental-groups + resources: + - badpod01 + result: fail + rule: supplementalgroup-ranges +- kind: Pod + policy: psp-check-supplemental-groups + resources: + - goodpod01 + result: pass + rule: supplementalgroup-ranges diff --git a/psp-migration/restrict-adding-capabilities/kyverno-test.yaml b/psp-migration/restrict-adding-capabilities/kyverno-test.yaml index ff424e05f..f43535bd9 100644 --- a/psp-migration/restrict-adding-capabilities/kyverno-test.yaml +++ b/psp-migration/restrict-adding-capabilities/kyverno-test.yaml @@ -1,108 +1,126 @@ name: psp-restrict-adding-capabilities policies: - - restrict-adding-capabilities.yaml +- restrict-adding-capabilities.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod01 - kind: Pod - result: fail - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod02 - kind: Pod - result: fail - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod03 - kind: Pod - result: fail - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod04 - kind: Pod - result: fail - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod05 - kind: Pod - result: fail - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod06 - kind: Pod - result: fail - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod07 - kind: Pod - result: fail - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod08 - kind: Pod - result: fail - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod09 - kind: Pod - result: fail - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-badpod10 - kind: Pod - result: fail -###### Pods - Good - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod01 - kind: Pod - result: pass - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod02 - kind: Pod - result: pass - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod03 - kind: Pod - result: pass - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod04 - kind: Pod - result: pass - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod05 - kind: Pod - result: pass - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod06 - kind: Pod - result: pass - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod07 - kind: Pod - result: pass - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod08 - kind: Pod - result: pass - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod09 - kind: Pod - result: pass - - policy: psp-restrict-adding-capabilities - rule: allowed-capabilities - resource: addcap-goodpod10 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod01 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod02 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod03 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod04 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod05 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod06 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod07 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod08 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod09 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-badpod10 + result: fail + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod01 + result: pass + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod02 + result: pass + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod03 + result: pass + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod04 + result: pass + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod05 + result: pass + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod06 + result: pass + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod07 + result: pass + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod08 + result: pass + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod09 + result: pass + rule: allowed-capabilities +- kind: Pod + policy: psp-restrict-adding-capabilities + resources: + - addcap-goodpod10 + result: pass + rule: allowed-capabilities diff --git a/psp-migration/restrict-runtimeClassName/kyverno-test.yaml b/psp-migration/restrict-runtimeClassName/kyverno-test.yaml index 8d7d5a4a8..f9dadae6d 100644 --- a/psp-migration/restrict-runtimeClassName/kyverno-test.yaml +++ b/psp-migration/restrict-runtimeClassName/kyverno-test.yaml @@ -1,26 +1,30 @@ name: restrict-runtimeclass policies: - - restrict-runtimeClassName.yaml +- restrict-runtimeClassName.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-runtimeclass - rule: prodclass-or-expclass - resource: badpod01 - kind: Pod - result: fail - - policy: restrict-runtimeclass - rule: prodclass-or-expclass - resource: goodpod01 - kind: Pod - result: pass - - policy: restrict-runtimeclass - rule: prodclass-or-expclass - resource: goodpod02 - kind: Pod - result: pass - - policy: restrict-runtimeclass - rule: prodclass-or-expclass - resource: goodpod03 - kind: Pod - result: pass +- kind: Pod + policy: restrict-runtimeclass + resources: + - badpod01 + result: fail + rule: prodclass-or-expclass +- kind: Pod + policy: restrict-runtimeclass + resources: + - goodpod01 + result: pass + rule: prodclass-or-expclass +- kind: Pod + policy: restrict-runtimeclass + resources: + - goodpod02 + result: pass + rule: prodclass-or-expclass +- kind: Pod + policy: restrict-runtimeclass + resources: + - goodpod03 + result: pass + rule: prodclass-or-expclass diff --git a/traefik/disallow-default-tlsoptions/kyverno-test.yaml b/traefik/disallow-default-tlsoptions/kyverno-test.yaml index dd8491500..9a1284cd8 100644 --- a/traefik/disallow-default-tlsoptions/kyverno-test.yaml +++ b/traefik/disallow-default-tlsoptions/kyverno-test.yaml @@ -1,12 +1,12 @@ name: disallow-default-tlsoptions policies: - - disallow-default-tlsoptions.yaml +- disallow-default-tlsoptions.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: disallow-default-tlsoptions - rule: disallow-default-tlsoptions - resource: default - kind: TLSOption - result: fail - \ No newline at end of file +- kind: TLSOption + policy: disallow-default-tlsoptions + resources: + - default + result: fail + rule: disallow-default-tlsoptions diff --git a/velero/backup-all-volumes/kyverno-test.yaml b/velero/backup-all-volumes/kyverno-test.yaml index af21bb3d7..e8d5b39c0 100644 --- a/velero/backup-all-volumes/kyverno-test.yaml +++ b/velero/backup-all-volumes/kyverno-test.yaml @@ -1,34 +1,31 @@ name: backup-all-volumes policies: - - backup-all-volumes.yaml +- backup-all-volumes.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: backup-all-volumes - rule: backup-velero-pv - resource: first - kind: Pod - namespace: foo - patchedResource: patchedResource.yaml - result: pass - # - policy: backup-all-volumes - # rule: backup-velero-pv - # resource: second - # kind: Pod - # namespace: bar - # result: skip - - policy: backup-all-volumes - rule: backup-velero-pv - resource: third - kind: Pod - namespace: foo - patchedResource: patchedResource-third.yaml - result: pass - - policy: backup-all-volumes - rule: autogen-backup-velero-pv - resource: fourth - kind: Deployment - namespace: foo - patchedResource: patchedResource-fourth.yaml - result: pass +- kind: Pod + namespace: foo + patchedResource: patchedResource.yaml + policy: backup-all-volumes + resources: + - first + result: pass + rule: backup-velero-pv +- kind: Pod + namespace: foo + patchedResource: patchedResource-third.yaml + policy: backup-all-volumes + resources: + - third + result: pass + rule: backup-velero-pv +- kind: Deployment + namespace: foo + patchedResource: patchedResource-fourth.yaml + policy: backup-all-volumes + resources: + - fourth + result: pass + rule: autogen-backup-velero-pv +variables: values.yaml diff --git a/velero/block-velero-restore/kyverno-test.yaml b/velero/block-velero-restore/kyverno-test.yaml index 300a0d2ab..2cfc47ef3 100644 --- a/velero/block-velero-restore/kyverno-test.yaml +++ b/velero/block-velero-restore/kyverno-test.yaml @@ -1,21 +1,24 @@ name: block-velero-restore policies: - - block-velero-restore.yaml +- block-velero-restore.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: block-velero-restore - rule: block-velero-restore-to-protected-namespace - resource: badrestore01 - kind: Restore - result: fail - - policy: block-velero-restore - rule: block-velero-restore-to-protected-namespace - resource: restore-without-namespace-mapping - kind: Restore - result: pass - - policy: block-velero-restore - rule: block-velero-restore-to-protected-namespace - resource: goodrestore01 - kind: Restore - result: pass +- kind: Restore + policy: block-velero-restore + resources: + - badrestore01 + result: fail + rule: block-velero-restore-to-protected-namespace +- kind: Restore + policy: block-velero-restore + resources: + - restore-without-namespace-mapping + result: pass + rule: block-velero-restore-to-protected-namespace +- kind: Restore + policy: block-velero-restore + resources: + - goodrestore01 + result: pass + rule: block-velero-restore-to-protected-namespace diff --git a/velero/validate-cron-schedule/kyverno-test.yaml b/velero/validate-cron-schedule/kyverno-test.yaml index a623cc75e..cfc076b43 100644 --- a/velero/validate-cron-schedule/kyverno-test.yaml +++ b/velero/validate-cron-schedule/kyverno-test.yaml @@ -1,16 +1,18 @@ name: validate-cron-schedule policies: - - validate-cron-schedule.yaml +- validate-cron-schedule.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: validate-cron-schedule - rule: validate-cron - resource: goodschedule01 - kind: Schedule - result: pass - - policy: validate-cron-schedule - rule: validate-cron - resource: badschedule01 - kind: Schedule - result: fail \ No newline at end of file +- kind: Schedule + policy: validate-cron-schedule + resources: + - goodschedule01 + result: pass + rule: validate-cron +- kind: Schedule + policy: validate-cron-schedule + resources: + - badschedule01 + result: fail + rule: validate-cron