Add chainsaw tests for pod-security disallow-proc-mount (#1076)

Based in the kyverno test resources, this adds chainsaw tests for the pod-security and pod-security-cel policy disallow-proc-mount. Signed-off-by: jayme-github <[email protected]> Co-authored-by: Chip Zoller <[email protected]>
kyverno · Jul 14, 2024 · 7cff98b · 7cff98b
1 parent 2efa806
commit 7cff98b
Show file tree

Hide file tree

Showing 13 changed files with 1,326 additions and 0 deletions.
diff --git a/.github/kind.yml b/.github/kind.yml
@@ -1,5 +1,7 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
+featureGates:
+  ProcMountType: true
 kubeadmConfigPatches:
   - |-
     kind: ClusterConfiguration

diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,40 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: disallow-proc-mount
+spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../disallow-proc-mount.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: disallow-proc-mount
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pod-bad.yaml
+    - apply:
+        file: podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: podcontroller-bad.yaml
diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml
@@ -0,0 +1,73 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+    securityContext:
+      procMount: Unmasked
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+  - name: container02
+    image: dummyimagename
+    securityContext:
+      procMount: Unmasked
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod03
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: dummyimagename
+    securityContext:
+      procMount: Unmasked
+  containers:
+  - name: container01
+    image: dummyimagename
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod04
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: dummyimagename
+  - name: initcontainer02
+    image: dummyimagename
+    securityContext:
+      procMount: Unmasked
+  containers:
+  - name: container01
+    image: dummyimagename
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod05
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: dummyimagename
+  - name: initcontainer02
+    image: dummyimagename
+    securityContext:
+      procMount: Unmasked
+  containers:
+  - name: container01
+    image: dummyimagename
+    securityContext:
+      procMount: Unmasked
+---
diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml
@@ -0,0 +1,78 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod02
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+    securityContext:
+      procMount: Default
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod03
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+  - name: container02
+    image: dummyimagename
+    securityContext:
+      procMount: Default
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod04
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: dummyimagename
+  containers:
+  - name: container01
+    image: dummyimagename
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod05
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: dummyimagename
+    securityContext:
+      procMount: Default
+  containers:
+  - name: container01
+    image: dummyimagename
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod06
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: dummyimagename
+  - name: initcontainer02
+    image: dummyimagename
+    securityContext:
+      procMount: Default
+  containers:
+  - name: container01
+    image: dummyimagename
+    securityContext:
+      procMount: Default
+---