From 6b96903a7e81e7b246183f6a11947c8c4d44622e Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 5 Nov 2023 20:30:38 -0800 Subject: [PATCH] add playground samples (#200) * add playground samples Signed-off-by: Jim Bugwadia * make codegen Signed-off-by: Jim Bugwadia --------- Signed-off-by: Jim Bugwadia --- pkg/server/ui/dist/assets/data.json | 14 +++++++++++++- playground-examples.yaml | 11 +++++++++-- website/playground/assets/data.json | 14 +++++++++++++- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/pkg/server/ui/dist/assets/data.json b/pkg/server/ui/dist/assets/data.json index a7fbc437..b5e58f19 100644 --- a/pkg/server/ui/dist/assets/data.json +++ b/pkg/server/ui/dist/assets/data.json @@ -1,7 +1,19 @@ { "examples": [ { - "category": "dockerfile", + "category": "Terraform", + "name": "terraform-s3", + "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: s3\nspec:\n rules:\n - name: check-tags\n assert:\n all:\n - check:\n planned_values:\n root_module:\n ~.resources:\n values:\n (keys(tags_all)):\n (contains(@, 'Environment')): true\n (contains(@, 'Name')): true\n (contains(@, 'Team')): true", + "payload": "configuration:\n provider_config:\n aws:\n expressions:\n region:\n constant_value: us-west-2\n full_name: registry.terraform.io/hashicorp/aws\n name: aws\n version_constraint: ~\u003e 4.16\n root_module:\n resources:\n - address: aws_s3_bucket.example\n expressions:\n bucket:\n constant_value: my-tf-test-bucket\n tags:\n constant_value:\n Environment: Dev\n Name: My bucket\n mode: managed\n name: example\n provider_config_key: aws\n schema_version: 0\n type: aws_s3_bucket\nformat_version: \"1.2\"\nplanned_values:\n root_module:\n resources:\n - address: aws_s3_bucket.example\n mode: managed\n name: example\n provider_name: registry.terraform.io/hashicorp/aws\n schema_version: 0\n sensitive_values:\n cors_rule: []\n grant: []\n lifecycle_rule: []\n logging: []\n object_lock_configuration: []\n replication_configuration: []\n server_side_encryption_configuration: []\n tags: {}\n tags_all: {}\n versioning: []\n website: []\n type: aws_s3_bucket\n values:\n bucket: my-tf-test-bucket\n force_destroy: false\n tags:\n Environment: Dev\n Name: My bucket\n tags_all:\n Environment: Dev\n Name: My bucket\n timeouts: null\nresource_changes:\n- address: aws_s3_bucket.example\n change:\n actions:\n - create\n after:\n bucket: my-tf-test-bucket\n force_destroy: false\n tags:\n Environment: Dev\n Name: My bucket\n tags_all:\n Environment: Dev\n Name: My bucket\n timeouts: null\n after_sensitive:\n cors_rule: []\n grant: []\n lifecycle_rule: []\n logging: []\n object_lock_configuration: []\n replication_configuration: []\n server_side_encryption_configuration: []\n tags: {}\n tags_all: {}\n versioning: []\n website: []\n after_unknown:\n acceleration_status: true\n acl: true\n arn: true\n bucket_domain_name: true\n bucket_prefix: true\n bucket_regional_domain_name: true\n cors_rule: true\n grant: true\n hosted_zone_id: true\n id: true\n lifecycle_rule: true\n logging: true\n object_lock_configuration: true\n object_lock_enabled: true\n policy: true\n region: true\n replication_configuration: true\n request_payer: true\n server_side_encryption_configuration: true\n tags: {}\n tags_all: {}\n versioning: true\n website: true\n website_domain: true\n website_endpoint: true\n before: null\n before_sensitive: false\n mode: managed\n name: example\n provider_name: registry.terraform.io/hashicorp/aws\n type: aws_s3_bucket\nterraform_version: 1.5.7\ntimestamp: \"2023-10-26T08:15:54Z\"\n" + }, + { + "category": "Kubernetes", + "name": "pod-no-latest", + "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: pod-no-latest\n context:\n - name: tag\n variable: :latest\n match:\n any:\n - apiVersion: v1\n kind: Pod\n identifier: \"metadata.name\"\n assert:\n all:\n - check:\n spec:\n ~foo.containers-\u003efoos:\n (at($foos, $foo).image)-\u003efoo:\n # an image tag is required\n (contains($foo, ':')): true\n # using a mutable image tag e.g. 'latest' is not allowed\n (ends_with($foo, $tag)): false\n - check:\n spec:\n ~.containers-\u003efoo:\n image:\n # an image tag is required\n (contains(@, ':')): true\n # using a mutable image tag e.g. 'latest' is not allowed\n (ends_with(@, ':latest')): false\n - check:\n ~index.(spec.containers[*].image)-\u003eimages:\n # an image tag is required\n (contains(@, ':')): true\n # using a mutable image tag e.g. 'latest' is not allowed\n (ends_with(@, ':latest')): false\n", + "payload": "apiVersion: v1\nkind: Pod\nmetadata:\n name: webserver\nspec:\n containers:\n - name: webserver-1\n image: nginx:latest\n ports:\n - containerPort: 80\n - name: webserver-2\n image: nginx:latest\n ports:\n - containerPort: 80\n - name: webserver-3\n image: nginx:latest\n ports:\n - containerPort: 80\n" + }, + { + "category": "Dockerfile", "name": "check-dockerfile", "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: check-dockerfile\nspec:\n rules:\n - name: deny-external-calls\n assert:\n all:\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].Args[].Value):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"curl is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'curl')): false\n - message: \"wget is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'wget')): false", "payload": "MetaArgs:\n- DefaultValue: '\"linux/amd64\"'\n Key: BUILD_PLATFORM\n ProvidedValue: null\n Value: '\"linux/amd64\"'\n- DefaultValue: '\"golang:1.20.6-alpine3.18\"'\n Key: BUILDER_IMAGE\n ProvidedValue: null\n Value: '\"golang:1.20.6-alpine3.18\"'\nStages:\n- As: builder\n BaseName: '\"golang:1.20.6-alpine3.18\"'\n Commands:\n - Name: WORKDIR\n Path: /\n - Chmod: \"\"\n Chown: \"\"\n DestPath: ./\n From: \"\"\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - .\n - Args:\n - Comment: \"\"\n Key: SIGNER_BINARY_LINK\n Value: '\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\"'\n Name: ARG\n - Args:\n - Comment: \"\"\n Key: SIGNER_BINARY_FILE\n Value: '\"notation-aws-signer-plugin.zip\"'\n Name: ARG\n - CmdLine:\n - wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - apk update \u0026\u0026 apk add unzip \u0026\u0026 unzip -o ${SIGNER_BINARY_FILE}\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws\n .\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n Comment: \"\"\n From:\n Image: '\"golang:1.20.6-alpine3.18\"'\n Location:\n - End:\n Character: 0\n Line: 4\n Start:\n Character: 0\n Line: 4\n Name: builder\n Platform: $BUILD_PLATFORM\n SourceCode: FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder\n- BaseName: gcr.io/distroless/static:nonroot\n Commands:\n - Name: WORKDIR\n Path: /\n - Env:\n - Key: PLUGINS_DIR\n Value: /plugins\n Name: ENV\n - Chmod: \"\"\n Chown: \"\"\n DestPath: plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin\n From: builder\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - notation-com.amazonaws.signer.notation.plugin\n - Chmod: \"\"\n Chown: \"\"\n DestPath: kyverno-notation-aws\n From: builder\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - kyverno-notation-aws\n - CmdLine:\n - /kyverno-notation-aws\n Files: null\n Name: ENTRYPOINT\n PrependShell: false\n Comment: \"\"\n From:\n Image: gcr.io/distroless/static:nonroot\n Location:\n - End:\n Character: 0\n Line: 20\n Start:\n Character: 0\n Line: 20\n Name: \"\"\n Platform: \"\"\n SourceCode: FROM gcr.io/distroless/static:nonroot\n" diff --git a/playground-examples.yaml b/playground-examples.yaml index 288e1e6b..db173ec3 100644 --- a/playground-examples.yaml +++ b/playground-examples.yaml @@ -1,6 +1,13 @@ # categories -dockerfile: - # names +Dockerfile: check-dockerfile: policy: test/commands/scan/dockerfile/policy.yaml payload: test/commands/scan/dockerfile/payload.json +Terraform: + terraform-s3: + policy: test/commands/scan/tf-s3/policy.yaml + payload: test/commands/scan/tf-s3/payload.json +Kubernetes: + pod-no-latest: + policy: test/commands/scan/pod-no-latest/policy.yaml + payload: test/commands/scan/pod-no-latest/payload.yaml diff --git a/website/playground/assets/data.json b/website/playground/assets/data.json index a7fbc437..b5e58f19 100644 --- a/website/playground/assets/data.json +++ b/website/playground/assets/data.json @@ -1,7 +1,19 @@ { "examples": [ { - "category": "dockerfile", + "category": "Terraform", + "name": "terraform-s3", + "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: s3\nspec:\n rules:\n - name: check-tags\n assert:\n all:\n - check:\n planned_values:\n root_module:\n ~.resources:\n values:\n (keys(tags_all)):\n (contains(@, 'Environment')): true\n (contains(@, 'Name')): true\n (contains(@, 'Team')): true", + "payload": "configuration:\n provider_config:\n aws:\n expressions:\n region:\n constant_value: us-west-2\n full_name: registry.terraform.io/hashicorp/aws\n name: aws\n version_constraint: ~\u003e 4.16\n root_module:\n resources:\n - address: aws_s3_bucket.example\n expressions:\n bucket:\n constant_value: my-tf-test-bucket\n tags:\n constant_value:\n Environment: Dev\n Name: My bucket\n mode: managed\n name: example\n provider_config_key: aws\n schema_version: 0\n type: aws_s3_bucket\nformat_version: \"1.2\"\nplanned_values:\n root_module:\n resources:\n - address: aws_s3_bucket.example\n mode: managed\n name: example\n provider_name: registry.terraform.io/hashicorp/aws\n schema_version: 0\n sensitive_values:\n cors_rule: []\n grant: []\n lifecycle_rule: []\n logging: []\n object_lock_configuration: []\n replication_configuration: []\n server_side_encryption_configuration: []\n tags: {}\n tags_all: {}\n versioning: []\n website: []\n type: aws_s3_bucket\n values:\n bucket: my-tf-test-bucket\n force_destroy: false\n tags:\n Environment: Dev\n Name: My bucket\n tags_all:\n Environment: Dev\n Name: My bucket\n timeouts: null\nresource_changes:\n- address: aws_s3_bucket.example\n change:\n actions:\n - create\n after:\n bucket: my-tf-test-bucket\n force_destroy: false\n tags:\n Environment: Dev\n Name: My bucket\n tags_all:\n Environment: Dev\n Name: My bucket\n timeouts: null\n after_sensitive:\n cors_rule: []\n grant: []\n lifecycle_rule: []\n logging: []\n object_lock_configuration: []\n replication_configuration: []\n server_side_encryption_configuration: []\n tags: {}\n tags_all: {}\n versioning: []\n website: []\n after_unknown:\n acceleration_status: true\n acl: true\n arn: true\n bucket_domain_name: true\n bucket_prefix: true\n bucket_regional_domain_name: true\n cors_rule: true\n grant: true\n hosted_zone_id: true\n id: true\n lifecycle_rule: true\n logging: true\n object_lock_configuration: true\n object_lock_enabled: true\n policy: true\n region: true\n replication_configuration: true\n request_payer: true\n server_side_encryption_configuration: true\n tags: {}\n tags_all: {}\n versioning: true\n website: true\n website_domain: true\n website_endpoint: true\n before: null\n before_sensitive: false\n mode: managed\n name: example\n provider_name: registry.terraform.io/hashicorp/aws\n type: aws_s3_bucket\nterraform_version: 1.5.7\ntimestamp: \"2023-10-26T08:15:54Z\"\n" + }, + { + "category": "Kubernetes", + "name": "pod-no-latest", + "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: pod-no-latest\n context:\n - name: tag\n variable: :latest\n match:\n any:\n - apiVersion: v1\n kind: Pod\n identifier: \"metadata.name\"\n assert:\n all:\n - check:\n spec:\n ~foo.containers-\u003efoos:\n (at($foos, $foo).image)-\u003efoo:\n # an image tag is required\n (contains($foo, ':')): true\n # using a mutable image tag e.g. 'latest' is not allowed\n (ends_with($foo, $tag)): false\n - check:\n spec:\n ~.containers-\u003efoo:\n image:\n # an image tag is required\n (contains(@, ':')): true\n # using a mutable image tag e.g. 'latest' is not allowed\n (ends_with(@, ':latest')): false\n - check:\n ~index.(spec.containers[*].image)-\u003eimages:\n # an image tag is required\n (contains(@, ':')): true\n # using a mutable image tag e.g. 'latest' is not allowed\n (ends_with(@, ':latest')): false\n", + "payload": "apiVersion: v1\nkind: Pod\nmetadata:\n name: webserver\nspec:\n containers:\n - name: webserver-1\n image: nginx:latest\n ports:\n - containerPort: 80\n - name: webserver-2\n image: nginx:latest\n ports:\n - containerPort: 80\n - name: webserver-3\n image: nginx:latest\n ports:\n - containerPort: 80\n" + }, + { + "category": "Dockerfile", "name": "check-dockerfile", "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: check-dockerfile\nspec:\n rules:\n - name: deny-external-calls\n assert:\n all:\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].Args[].Value):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"curl is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'curl')): false\n - message: \"wget is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'wget')): false", "payload": "MetaArgs:\n- DefaultValue: '\"linux/amd64\"'\n Key: BUILD_PLATFORM\n ProvidedValue: null\n Value: '\"linux/amd64\"'\n- DefaultValue: '\"golang:1.20.6-alpine3.18\"'\n Key: BUILDER_IMAGE\n ProvidedValue: null\n Value: '\"golang:1.20.6-alpine3.18\"'\nStages:\n- As: builder\n BaseName: '\"golang:1.20.6-alpine3.18\"'\n Commands:\n - Name: WORKDIR\n Path: /\n - Chmod: \"\"\n Chown: \"\"\n DestPath: ./\n From: \"\"\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - .\n - Args:\n - Comment: \"\"\n Key: SIGNER_BINARY_LINK\n Value: '\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\"'\n Name: ARG\n - Args:\n - Comment: \"\"\n Key: SIGNER_BINARY_FILE\n Value: '\"notation-aws-signer-plugin.zip\"'\n Name: ARG\n - CmdLine:\n - wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - apk update \u0026\u0026 apk add unzip \u0026\u0026 unzip -o ${SIGNER_BINARY_FILE}\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws\n .\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n Comment: \"\"\n From:\n Image: '\"golang:1.20.6-alpine3.18\"'\n Location:\n - End:\n Character: 0\n Line: 4\n Start:\n Character: 0\n Line: 4\n Name: builder\n Platform: $BUILD_PLATFORM\n SourceCode: FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder\n- BaseName: gcr.io/distroless/static:nonroot\n Commands:\n - Name: WORKDIR\n Path: /\n - Env:\n - Key: PLUGINS_DIR\n Value: /plugins\n Name: ENV\n - Chmod: \"\"\n Chown: \"\"\n DestPath: plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin\n From: builder\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - notation-com.amazonaws.signer.notation.plugin\n - Chmod: \"\"\n Chown: \"\"\n DestPath: kyverno-notation-aws\n From: builder\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - kyverno-notation-aws\n - CmdLine:\n - /kyverno-notation-aws\n Files: null\n Name: ENTRYPOINT\n PrependShell: false\n Comment: \"\"\n From:\n Image: gcr.io/distroless/static:nonroot\n Location:\n - End:\n Character: 0\n Line: 20\n Start:\n Character: 0\n Line: 20\n Name: \"\"\n Platform: \"\"\n SourceCode: FROM gcr.io/distroless/static:nonroot\n"