Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add best practices policies in CEL expressions #925

Merged
merged 69 commits into from
Jun 3, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
69 commits
Select commit Hold shift + click to select a range
747b0e8
copy restrict-node-port
Chandan-DK Mar 6, 2024
9a4eca2
convert restrict-node-port to cel
Chandan-DK Mar 6, 2024
c87dea8
move resource files to test folders to avoid cross referencing
Chandan-DK Mar 6, 2024
66550fb
copy require-labels
Chandan-DK Mar 6, 2024
a19e614
convert require-labels to cel
Chandan-DK Mar 6, 2024
793c146
copy restrict-service-external-ips
Chandan-DK Mar 6, 2024
7a0fc6a
convert restrict-service-external-ips to cel
Chandan-DK Mar 7, 2024
2466c52
copy require-ro-rootfs
Chandan-DK Mar 7, 2024
8ca2823
convert require-ro-rootfs to cel
Chandan-DK Mar 7, 2024
cc534a2
copy restrict-image-registries
Chandan-DK Mar 7, 2024
70c4712
convert restrict-image-registries to cel
Chandan-DK Mar 7, 2024
9cbc613
copy disallow-latest-tag
Chandan-DK Mar 7, 2024
7266245
convert disallow-latest-tag to cel
Chandan-DK Mar 7, 2024
56680c9
copy disallow-default-namespace
Chandan-DK Mar 8, 2024
deefeee
convert disallow-default-namespace to cel
Chandan-DK Mar 8, 2024
c0b203a
copy disallow-helm-tiller
Chandan-DK Mar 8, 2024
2908df9
convert disallow-helm-tiller to cel
Chandan-DK Mar 8, 2024
5291e6d
Merge branch 'main' into convert-best-practices-to-cel
Chandan-DK Mar 9, 2024
cc5a3da
copy disallow-empty-ingress-host
Chandan-DK Mar 9, 2024
13f8cb5
set original disallow-empty-ingress-host to Audit
Chandan-DK Mar 9, 2024
b29888f
convert disallow-empty-ingress-host to cel
Chandan-DK Mar 9, 2024
1347c26
patch cel policy to set it to Enforce in chainsaw test
Chandan-DK Mar 9, 2024
638431a
fix: update semantically wrong chainsaw test resources in original re…
Chandan-DK Mar 10, 2024
c1cf234
copy require-drop-all
Chandan-DK Mar 10, 2024
625ee8e
convert require-drop-all to cel
Chandan-DK Mar 10, 2024
0283264
update workflow to test policies in best-practices-cel folder
Chandan-DK Mar 10, 2024
e206f7c
fix duplicate container names in require-probes chainsaw test
Chandan-DK Mar 10, 2024
c3b399e
copy require-probes
Chandan-DK Mar 10, 2024
13f20c0
convert require-probes to cel
Chandan-DK Mar 10, 2024
3405d61
require-ro-rootfs: fix selector does not match template labels
Chandan-DK Mar 14, 2024
6f0f536
require-ro-rootfs: fix duplicate container names
Chandan-DK Mar 14, 2024
28a0b2b
disallow-helm-tiller: fix invalid container naming
Chandan-DK Mar 14, 2024
4deb30c
require-labels: fix selector does not match template labels
Chandan-DK Mar 14, 2024
1ee5e25
restrict-image-registries: fix selector does not match template labels
Chandan-DK Mar 14, 2024
9527da4
Merge branch 'main' into convert-best-practices-to-cel
Chandan-DK Mar 14, 2024
e809be1
rename file for clarity
Chandan-DK Mar 14, 2024
62fc668
copy disallow-cri-sock-mount
Chandan-DK Mar 14, 2024
f26b1b2
convert disallow-cri-sock-mount to cel
Chandan-DK Mar 14, 2024
9579075
remove duplicate expressins in require-drop-all
Chandan-DK Mar 14, 2024
46574a1
rename file for clarity
Chandan-DK Mar 14, 2024
2d25227
require-drop-cap-net-raw: fix duplicate container names
Chandan-DK Mar 14, 2024
de2993a
copy require-drop-cap-net-raw
Chandan-DK Mar 14, 2024
057814d
rename pods to distinguish them
Chandan-DK Mar 15, 2024
618b7c8
convert require-drop-cap-net-raw to cel
Chandan-DK Mar 15, 2024
1fc12c0
copy require-pod-requests-limits
Chandan-DK Mar 15, 2024
fdb9a00
convert require-pod-requests-limits to cel
Chandan-DK Mar 15, 2024
ffe9192
rename files for clarity
Chandan-DK Mar 15, 2024
f3f84ec
add new line at end of file where not present
Chandan-DK Mar 15, 2024
42808ba
calculate digests
Chandan-DK Mar 15, 2024
c13bf5a
add new lines
Chandan-DK Mar 15, 2024
6298f7e
update digests
Chandan-DK Mar 15, 2024
b71dc85
remove celPreconditions until it behaves as expected
Chandan-DK Mar 15, 2024
8bef250
update digests
Chandan-DK Mar 15, 2024
48675be
remove wrong test step
Chandan-DK Mar 16, 2024
8c6b717
Merge branch 'main' into convert-best-practices-to-cel
chipzoller Mar 18, 2024
db6f0a4
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 Mar 25, 2024
51a0c3e
use variables to remove duplicate logic
Chandan-DK Mar 25, 2024
cc3be8a
remove unnecessary whitespace in require-ro-rootfs
Chandan-DK Mar 26, 2024
734f9f2
use namespaceObject variable
Chandan-DK Mar 26, 2024
9f493ed
Combine expressions into 1 rule to generate VAPs
Chandan-DK Apr 4, 2024
8e133b7
copy kyverno tests for disallow-default-namespace
Chandan-DK Apr 19, 2024
bc57d09
Merge branch 'main' into convert-best-practices-to-cel
Chandan-DK Apr 19, 2024
044a419
Merge branch 'main' into convert-best-practices-to-cel
JimBugwadia May 15, 2024
bb48b70
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 16, 2024
6a71ee2
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 16, 2024
cad31da
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 22, 2024
3cda1d5
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 30, 2024
d6ad7cd
fix issue caused in cel policies tests due to chainsaw templating
Chandan-DK May 30, 2024
8ca2e18
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 Jun 3, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: disallow-empty-ingress-host
spec:
steps:
- name: step-01
try:
- apply:
file: ../disallow-empty-ingress-host.yaml
- assert:
file: policy-ready.yaml
Chandan-DK marked this conversation as resolved.
Show resolved Hide resolved
- name: step-02
try:
- apply:
file: good-ingress.yaml
- apply:
expect:
- check:
($error != null): true
file: no-host-ingress.yaml
- apply:
expect:
- check:
($error != null): true
file: no-host-fail-first.yaml
- apply:
expect:
- check:
($error != null): true
file: no-host-success-first.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-wildcard-host
spec:
rules:
- host: "foo.bar.com"
http:
paths:
- pathType: Prefix
path: "/bar"
backend:
service:
name: service1
port:
number: 80
- host: "*.foo.com"
http:
paths:
- pathType: Prefix
path: "/foo"
backend:
service:
name: service2
port:
number: 80
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host
spec:
rules:
- http:
paths:
- pathType: Prefix
path: "/bar"
backend:
service:
name: service1
port:
number: 80
- host: "bar.foo.com"
http:
paths:
- pathType: Prefix
path: "/foo"
backend:
service:
name: service2
port:
number: 80
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: test
port:
number: 80
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host
spec:
rules:
- host: "bar.foo.com"
http:
paths:
- pathType: Prefix
path: "/bar"
backend:
service:
name: service1
port:
number: 80
- http:
paths:
- pathType: Prefix
path: "/foo"
backend:
service:
name: service2
port:
number: 80
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-empty-ingress-host
status:
ready: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: disallow-empty-ingress-host
policies:
- ../disallow-empty-ingress-host.yaml
resources:
- resource.yaml
results:
- kind: Ingress
policy: disallow-empty-ingress-host
resources:
- minimal-ingress
result: fail
rule: disallow-empty-ingress-host
- kind: Ingress
policy: disallow-empty-ingress-host
resources:
- ingress-wildcard-host
result: pass
rule: disallow-empty-ingress-host
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-wildcard-host
spec:
rules:
- host: "foo.bar.com"
http:
paths:
- pathType: Prefix
path: "/bar"
backend:
service:
name: service1
port:
number: 80
- host: "*.foo.com"
http:
paths:
- pathType: Prefix
path: "/foo"
backend:
service:
name: service2
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: test
port:
number: 80
21 changes: 21 additions & 0 deletions best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: disallow-empty-ingress-host
version: 1.0.0
displayName: Disallow empty Ingress host
createdAt: "2023-04-10T19:47:15.000Z"
description: >-
An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
```
keywords:
- kyverno
- Best Practices
readme: |
An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Best Practices"
kyverno/subject: "Ingress"
digest: f9e70cf095e2d69a9586d7b8071975006e76aa715e5c978d37761c03ac6fc7fd
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-empty-ingress-host
annotations:
policies.kyverno.io/title: Disallow empty Ingress host
policies.kyverno.io/category: Best Practices
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Ingress
policies.kyverno.io/description: >-
An ingress resource needs to define an actual host name
in order to be valid. This policy ensures that there is a
hostname for each rule defined.
spec:
validationFailureAction: enforce
Chandan-DK marked this conversation as resolved.
Show resolved Hide resolved
background: false
rules:
- name: disallow-empty-ingress-host
match:
any:
- resources:
kinds:
- Ingress
validate:
message: "The Ingress host name must be defined, not empty."
deny:
conditions:
all:
- key: "{{ request.object.spec.rules[].host || `[]` | length(@) }}"
operator: NotEquals
value: "{{ request.object.spec.rules[].http || `[]` | length(@) }}"
Loading