From 3aa7ffd646cf986ae1ca1f230970cfbe1d219605 Mon Sep 17 00:00:00 2001 From: erisnar Date: Mon, 25 Mar 2024 13:57:07 +0100 Subject: [PATCH 1/2] added chainsaw tests for disallow-proc-mount --- .../chainsaw-step-01-assert-1.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 38 +++ .../.chainsaw-test/pod-bad.yaml | 131 ++++++++ .../.chainsaw-test/pod-good.yaml | 130 ++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 270 ++++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 294 ++++++++++++++++++ 6 files changed, 869 insertions(+) create mode 100755 pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..cc13a32d2 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privileged-containers +status: + ready: true diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..b9fea4b92 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-proc-mount +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-proc-mount.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-proc-mount + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..1afd6a27b --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,131 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01-new +spec: + initContainers: + - name: busybox01-init + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: busybox01 + image: busybox:1.35 + securityContext: + procMount: Default + - name: busybox02 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02-new +spec: + containers: + - name: busybox01 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03-new +spec: + containers: + - name: busybox01 + image: busybox:1.35 + securityContext: + procMount: Unmasked + - name: busybox02 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04-new +spec: + containers: + - name: busybox01 + image: busybox:1.35 + securityContext: + procMount: Default + - name: busybox02 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..5bccd454d --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml @@ -0,0 +1,130 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01-new +spec: + initContainers: + - name: busybox01-init + image: busybox:1.35 + securityContext: + procMount: Default + containers: + - name: busybox01 + image: busybox:1.35 + securityContext: + procMount: Default + - name: busybox02 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02-new +spec: + containers: + - name: busybox01 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03-new +spec: + containers: + - name: busybox01 + image: busybox:1.35 + securityContext: + procMount: Default + - name: busybox02 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04-new +spec: + containers: + - name: busybox01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + procMount: Default + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + procMount: Default + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Default +--- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..ff0c538e4 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,270 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01-new +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: busybox01-init + image: busybox:1.35 + securityContext: + procMount: Default + containers: + - name: busybox01 + image: busybox:1.35 + securityContext: + procMount: Unmasked + - name: busybox02 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01-new +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: Never + initContainers: + - name: busybox01-init + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: busybox01 + image: busybox:1.35 + - name: busybox02 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Unmasked +--- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..93ce2ec46 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,294 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01-new +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: busybox01-init + image: busybox:1.35 + securityContext: + procMount: Default + containers: + - name: busybox01 + image: busybox:1.35 + securityContext: + procMount: Default + - name: busybox02 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01-new +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: Never + initContainers: + - name: busybox01-init + image: busybox:1.35 + securityContext: + procMount: Default + containers: + - name: busybox01 + image: busybox:1.35 + - name: busybox02 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + procMount: Default + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + procMount: Default + - name: initcontainer02 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + securityContext: + procMount: Default + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + securityContext: + procMount: Default + containers: + - name: container01 + image: busybox:1.35 + securityContext: + procMount: Default From f6849127ba2386e8b49ead5be35cc466b3412dd3 Mon Sep 17 00:00:00 2001 From: erisnar Date: Mon, 25 Mar 2024 13:58:34 +0100 Subject: [PATCH 2/2] rename policy --- .../.chainsaw-test/chainsaw-step-01-assert-1.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml index cc13a32d2..87ef3bbcb 100755 --- a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -1,6 +1,6 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-privileged-containers + name: disallow-proc-mount status: ready: true