From c2cd92637a4c1261ba7bdb4d28e863532a19393f Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 30 Mar 2024 18:15:39 +0000 Subject: [PATCH 01/25] copy enforce-pod-duration Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 +++++++++ .../.chainsaw-test/podcontrollers-bad.yaml | 42 ++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 81 +++++++++++++++++++ .../.chainsaw-test/pods-bad.yaml | 23 ++++++ .../.chainsaw-test/pods-good.yaml | 43 ++++++++++ .../.kyverno-test/kyverno-test.yaml | 21 +++++ .../.kyverno-test/resources.yaml | 23 ++++++ .../enforce-pod-duration/artifacthub-pkg.yml | 21 +++++ .../enforce-pod-duration.yaml | 31 +++++++ 10 files changed, 329 insertions(+) create mode 100755 other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml create mode 100644 other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/enforce-pod-duration/.kyverno-test/resources.yaml create mode 100644 other-cel/enforce-pod-duration/artifacthub-pkg.yml create mode 100644 other-cel/enforce-pod-duration/enforce-pod-duration.yaml diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..b53713baf --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pod-lifetime +status: + ready: true diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..76632597a --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-pod-duration +spec: + steps: + - name: step-01 + try: + - apply: + file: ../enforce-pod-duration.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: pod-lifetime + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..2456f925f --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + annotations: + pod.kubernetes.io/lifetime: "8h5m" + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + pod.kubernetes.io/lifetime: "8h5m" + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..49f7d105c --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + annotations: + pod.kubernetes.io/lifetime: "8h" + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + pod.kubernetes.io/lifetime: "5m" + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..e12fe5b2f --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + pod.kubernetes.io/lifetime: "8h1m" + name: badpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + pod.kubernetes.io/lifetime: "24h" + foo: bar + name: badpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox \ No newline at end of file diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..72af42c34 --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + name: goodpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + pod.kubernetes.io/lifetime: "5m" + name: goodpod03 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + pod.kubernetes.io/lifetime: "8h" + foo: bar + name: goodpod04 +spec: + containers: + - image: busybox:1.35 + name: busybox \ No newline at end of file diff --git a/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml b/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..d4eaab5bd --- /dev/null +++ b/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-lifetime +policies: +- ../enforce-pod-duration.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: pod-lifetime + resources: + - test-lifetime-fail + result: fail + rule: pods-lifetime +- kind: Pod + policy: pod-lifetime + resources: + - test-lifetime-pass + result: pass + rule: pods-lifetime diff --git a/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml b/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml new file mode 100644 index 000000000..6d50f9124 --- /dev/null +++ b/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-lifetime-pass + namespace: test + annotations: + pod.kubernetes.io/lifetime: 4h +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-lifetime-fail + namespace: test + annotations: + pod.kubernetes.io/lifetime: 24h +spec: + containers: + - name: nginx + image: nginx:1.12 diff --git a/other-cel/enforce-pod-duration/artifacthub-pkg.yml b/other-cel/enforce-pod-duration/artifacthub-pkg.yml new file mode 100644 index 000000000..38454c1d0 --- /dev/null +++ b/other-cel/enforce-pod-duration/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: enforce-pod-duration +version: 1.0.0 +displayName: Enforce pod duration +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/enforce-pod-duration/enforce-pod-duration.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: 3ded11cc52869141f7db7d402e6ead5965aa36fb1a16aedb0f71e4b7204adb72 diff --git a/other-cel/enforce-pod-duration/enforce-pod-duration.yaml b/other-cel/enforce-pod-duration/enforce-pod-duration.yaml new file mode 100644 index 000000000..4ebb7e859 --- /dev/null +++ b/other-cel/enforce-pod-duration/enforce-pod-duration.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pod-lifetime + annotations: + policies.kyverno.io/title: Enforce pod duration + policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + This validation is valuable when annotations are used to define durations, + such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. + Pod lifetime annotation can be no greater than 8 hours. +spec: + validationFailureAction: audit + background: true + rules: + - name: pods-lifetime + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Pod lifetime exceeds limit of 8h" + deny: + conditions: + any: + - key: "{{ request.object.metadata.annotations.\"pod.kubernetes.io/lifetime\" || '0s' }}" + operator: GreaterThan + value: "8h" From 4b8d07ceb9888fc032934dbdca4edadb7969bf1e Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 30 Mar 2024 18:18:41 +0000 Subject: [PATCH 02/25] convert enforce-pod-duration to cel Signed-off-by: Chandan-DK --- .../enforce-pod-duration/artifacthub-pkg.yml | 15 ++++++----- .../enforce-pod-duration.yaml | 26 +++++++++++-------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/other-cel/enforce-pod-duration/artifacthub-pkg.yml b/other-cel/enforce-pod-duration/artifacthub-pkg.yml index 38454c1d0..c2c68faf6 100644 --- a/other-cel/enforce-pod-duration/artifacthub-pkg.yml +++ b/other-cel/enforce-pod-duration/artifacthub-pkg.yml @@ -1,21 +1,24 @@ -name: enforce-pod-duration +name: enforce-pod-duration-cel version: 1.0.0 -displayName: Enforce pod duration -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Enforce pod duration in CEL expressions description: >- This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/enforce-pod-duration/enforce-pod-duration.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/enforce-pod-duration/enforce-pod-duration.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 3ded11cc52869141f7db7d402e6ead5965aa36fb1a16aedb0f71e4b7204adb72 +digest: b2f1fec7c8b199024c813b1ddb3d52f27f889d082c0c94f4824c499cd6b278bb +createdAt: "2024-03-30T18:18:11Z" + diff --git a/other-cel/enforce-pod-duration/enforce-pod-duration.yaml b/other-cel/enforce-pod-duration/enforce-pod-duration.yaml index 4ebb7e859..48ccc0fb7 100644 --- a/other-cel/enforce-pod-duration/enforce-pod-duration.yaml +++ b/other-cel/enforce-pod-duration/enforce-pod-duration.yaml @@ -3,16 +3,17 @@ kind: ClusterPolicy metadata: name: pod-lifetime annotations: - policies.kyverno.io/title: Enforce pod duration - policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/title: Enforce pod duration in CEL expressions + policies.kyverno.io/category: Sample in CEL + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: pods-lifetime @@ -22,10 +23,13 @@ spec: kinds: - Pod validate: - message: "Pod lifetime exceeds limit of 8h" - deny: - conditions: - any: - - key: "{{ request.object.metadata.annotations.\"pod.kubernetes.io/lifetime\" || '0s' }}" - operator: GreaterThan - value: "8h" + cel: + variables: + - name: hasLifetimeAnnotation + expression: "has(object.metadata.annotations) && 'pod.kubernetes.io/lifetime' in object.metadata.annotations" + - name: lifetimeAnnotationValue + expression: "variables.hasLifetimeAnnotation ? object.metadata.annotations['pod.kubernetes.io/lifetime'] : '0s'" + expressions: + - expression: "!(duration(variables.lifetimeAnnotationValue) > duration('8h'))" + message: "Pod lifetime exceeds limit of 8h" + From 2ba3e1cf71444e7948b683820e6291a5848f5067 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 30 Mar 2024 18:22:34 +0000 Subject: [PATCH 03/25] add CI test for directories starting with e to l in other-cel folder Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 969021712..65966ed9b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -53,6 +53,7 @@ jobs: - ^other$/^re[c-q] - ^other$/^res - ^other$/^[s-z] + - ^other-cel$/^[e-l] - ^pod-security$ - ^pod-security-cel$ - ^psa$ From e593e32e5d4f6c58f2d68b0eadfd710d972db062 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 31 Mar 2024 10:28:19 +0000 Subject: [PATCH 04/25] copy enforce-readwriteonce-pod Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 21 ++++++++++++ .../.kyverno-test/resource.yaml | 22 +++++++++++++ .../artifacthub-pkg.yml | 31 +++++++++++++++++ .../enforce-readwriteonce-pod.yaml | 33 +++++++++++++++++++ 4 files changed, 107 insertions(+) create mode 100644 other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml create mode 100644 other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml create mode 100644 other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml diff --git a/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml b/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..12ad90cbe --- /dev/null +++ b/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-readwriteonce-pod +policies: +- ../enforce-readwriteonce-pod.yaml +resources: +- resource.yaml +results: +- kind: PersistentVolumeClaim + policy: readwriteonce-pod + resources: + - badpvc + result: fail + rule: readwrite-pvc-single-pod +- kind: PersistentVolumeClaim + policy: readwriteonce-pod + resources: + - goodpvc + result: pass + rule: readwrite-pvc-single-pod \ No newline at end of file diff --git a/other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml b/other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml new file mode 100644 index 000000000..df1206b98 --- /dev/null +++ b/other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: badpvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: goodpvc +spec: + accessModes: + - ReadWriteOncePod + resources: + requests: + storage: 1Gi + diff --git a/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml b/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml new file mode 100644 index 000000000..ea2bed446 --- /dev/null +++ b/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml @@ -0,0 +1,31 @@ +name: enforce-readwriteonce-pod +version: 1.0.0 +displayName: Enforce readwriteoncepod +createdAt: "2023-12-31T16:10:04.000Z" +description: >- + Some stateful workloads with multiple replicas only allow a single Pod to write + to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default + in 1.27, a new setting called ReadWriteOncePod, available + for CSI volumes only, allows volumes to be writable from only a single Pod. For more + information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. + This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + Some stateful workloads with multiple replicas only allow a single Pod to write + to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default + in 1.27, a new setting called ReadWriteOncePod, available + for CSI volumes only, allows volumes to be writable from only a single Pod. For more + information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. + This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "PersistentVolumeClaims" +digest: 2fb28419ac572f7a3d8ee50f6dd157b00b015638f6a9d06728783f35ffb6c7f0 diff --git a/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml b/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml new file mode 100644 index 000000000..ac6ee003f --- /dev/null +++ b/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: readwriteonce-pod + annotations: + policies.kyverno.io/title: Enforce ReadWriteOncePod + policies.kyverno.io/category: Sample + policies.kyverno.io/subject: PersistentVolumeClaim + policies.kyverno.io/description: >- + Some stateful workloads with multiple replicas only allow a single Pod to write + to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default + in 1.27, a new setting called ReadWriteOncePod, available + for CSI volumes only, allows volumes to be writable from only a single Pod. For more + information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. + This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. +spec: + validationFailureAction: Audit + background: true + rules: + - name: readwrite-pvc-single-pod + match: + any: + - resources: + kinds: + - PersistentVolumeClaim + validate: + message: "The accessMode must be set to ReadWriteOncePod." + pattern: + spec: + accessModes: + - ReadWriteOncePod + + \ No newline at end of file From c8b329abcc83a60a3d88606887eb05e81b6d5734 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 31 Mar 2024 10:53:51 +0000 Subject: [PATCH 05/25] convert enforce-readwriteonce-pod to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 +++++++++------ .../enforce-readwriteonce-pod.yaml | 16 ++++++++-------- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml b/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml index ea2bed446..a9027462f 100644 --- a/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml +++ b/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml @@ -1,7 +1,6 @@ -name: enforce-readwriteonce-pod +name: enforce-readwriteonce-pod-cel version: 1.0.0 -displayName: Enforce readwriteoncepod -createdAt: "2023-12-31T16:10:04.000Z" +displayName: Enforce readwriteoncepod in CEL expressions description: >- Some stateful workloads with multiple replicas only allow a single Pod to write to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default @@ -11,11 +10,12 @@ description: >- This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | Some stateful workloads with multiple replicas only allow a single Pod to write to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default @@ -26,6 +26,9 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.27-1.28" kyverno/subject: "PersistentVolumeClaims" -digest: 2fb28419ac572f7a3d8ee50f6dd157b00b015638f6a9d06728783f35ffb6c7f0 +digest: de7662c3394731c2de9205ebdda2da9da69e8022b616ca6e4ea9dbfd8ad2b2a8 +createdAt: "2024-03-31T10:53:27Z" + diff --git a/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml b/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml index ac6ee003f..5c5720e4d 100644 --- a/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml +++ b/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml @@ -3,9 +3,11 @@ kind: ClusterPolicy metadata: name: readwriteonce-pod annotations: - policies.kyverno.io/title: Enforce ReadWriteOncePod - policies.kyverno.io/category: Sample + policies.kyverno.io/title: Enforce ReadWriteOncePod in CEL expressions + policies.kyverno.io/category: Sample in CEL policies.kyverno.io/subject: PersistentVolumeClaim + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.27-1.28" policies.kyverno.io/description: >- Some stateful workloads with multiple replicas only allow a single Pod to write to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default @@ -24,10 +26,8 @@ spec: kinds: - PersistentVolumeClaim validate: - message: "The accessMode must be set to ReadWriteOncePod." - pattern: - spec: - accessModes: - - ReadWriteOncePod + cel: + expressions: + - expression: "'ReadWriteOncePod' in object.spec.accessModes" + message: "The accessMode must be set to ReadWriteOncePod." - \ No newline at end of file From c743e243d74318afd398c614bc3eb73a4f035e33 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 31 Mar 2024 10:57:15 +0000 Subject: [PATCH 06/25] copy ensure-probes-different Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 37 ++++++ .../.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/podcontrollers-bad.yaml | 115 ++++++++++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 113 +++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 21 ++++ .../.kyverno-test/resource.yaml | 67 ++++++++++ .../artifacthub-pkg.yml | 21 ++++ .../ensure-probes-different.yaml | 36 ++++++ 9 files changed, 420 insertions(+) create mode 100755 other-cel/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/ensure-probes-different/.chainsaw-test/ns.yaml create mode 100644 other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/ensure-probes-different/.kyverno-test/resource.yaml create mode 100644 other-cel/ensure-probes-different/artifacthub-pkg.yml create mode 100644 other-cel/ensure-probes-different/ensure-probes-different.yaml diff --git a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..1f660a84a --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-probes +status: + ready: true diff --git a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..f40140320 --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: ensure-probes-different +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - apply: + file: ../ensure-probes-different.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: validate-probes + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml + - name: step-99 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n ensure-probes-different-ns diff --git a/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml b/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..09dda4489 --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ensure-probes-different-ns \ No newline at end of file diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..b050a0094 --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,115 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 + namespace: ensure-probes-different-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: badds01 + namespace: ensure-probes-different-ns +spec: + selector: + matchLabels: + name: busybox + template: + metadata: + labels: + name: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep","300"] + livenessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 + - image: busybox:1.35 + name: busybox02 + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: badss01 + namespace: ensure-probes-different-ns +spec: + selector: + matchLabels: + app: busybox + serviceName: "busybox" + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + terminationGracePeriodSeconds: 5 + containers: + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + httpGet: + path: /healthz + port: 8080 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: 8080 + periodSeconds: 10 \ No newline at end of file diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..c3f04c511 --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,113 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 + namespace: ensure-probes-different-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep","300"] + readinessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: goodds01 + namespace: ensure-probes-different-ns +spec: + selector: + matchLabels: + name: busybox + template: + metadata: + labels: + name: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep","300"] + readinessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: goodss01 + namespace: ensure-probes-different-ns +spec: + selector: + matchLabels: + app: busybox + serviceName: "busybox" + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + terminationGracePeriodSeconds: 5 + containers: + - image: busybox:1.35 + name: busybox + livenessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 \ No newline at end of file diff --git a/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml b/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c6d04d095 --- /dev/null +++ b/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: validate-probes +policies: +- ../ensure-probes-different.yaml +resources: +- resource.yaml +results: +- kind: Deployment + policy: validate-probes + resources: + - mydeploy-2 + result: fail + rule: validate-probes +- kind: Deployment + policy: validate-probes + resources: + - mydeploy-1 + result: pass + rule: validate-probes diff --git a/other-cel/ensure-probes-different/.kyverno-test/resource.yaml b/other-cel/ensure-probes-different/.kyverno-test/resource.yaml new file mode 100644 index 000000000..6f524a756 --- /dev/null +++ b/other-cel/ensure-probes-different/.kyverno-test/resource.yaml @@ -0,0 +1,67 @@ +# "Liveness and readiness probes are not same." +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + name: mydeploy-1 +spec: + replicas: 1 + selector: + matchLabels: + app: goproxy + template: + metadata: + name: goproxy + labels: + app: goproxy + spec: + containers: + - name: goproxy + image: registry.k8s.io/goproxy:0.1 + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + +--- +# "Liveness and readiness probes are same." +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + name: mydeploy-2 +spec: + replicas: 1 + selector: + matchLabels: + app: goproxy + template: + metadata: + name: goproxy + labels: + app: goproxy + spec: + containers: + - name: goproxy + image: registry.k8s.io/goproxy:0.1 + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + diff --git a/other-cel/ensure-probes-different/artifacthub-pkg.yml b/other-cel/ensure-probes-different/artifacthub-pkg.yml new file mode 100644 index 000000000..933c9aafb --- /dev/null +++ b/other-cel/ensure-probes-different/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: ensure-probes-different +version: 1.0.0 +displayName: Validate Probes +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/ensure-probes-different/ensure-probes-different.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: 66d9c3579b90c7f462e4f87f848527f3b2860c29b4572aa81dffaa01817814aa diff --git a/other-cel/ensure-probes-different/ensure-probes-different.yaml b/other-cel/ensure-probes-different/ensure-probes-different.yaml new file mode 100644 index 000000000..a1e31fce8 --- /dev/null +++ b/other-cel/ensure-probes-different/ensure-probes-different.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-probes + annotations: + pod-policies.kyverno.io/autogen-controllers: none + policies.kyverno.io/title: Validate Probes + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Liveness and readiness probes accomplish different goals, and setting both to the same + is an anti-pattern and often results in app problems in the future. This policy + checks that liveness and readiness probes are not equal. Keep in mind that if both the + probes are not set, they are considered to be equal and hence fails the check. +spec: + validationFailureAction: audit + background: false + rules: + - name: validate-probes + match: + any: + - resources: + kinds: + - Deployment + - DaemonSet + - StatefulSet + validate: + message: "Liveness and readiness probes cannot be the same." + deny: + conditions: + any: + - key: "{{ request.object.spec.template.spec.containers[?readinessProbe==livenessProbe] | length(@) }}" + operator: GreaterThan + value: 0 \ No newline at end of file From 3fb487b83890022de738d80511e523e393ab38b4 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 31 Mar 2024 11:12:29 +0000 Subject: [PATCH 07/25] convert ensure-probes-different to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 +++++++----- .../ensure-probes-different.yaml | 24 ++++++++++--------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/other-cel/ensure-probes-different/artifacthub-pkg.yml b/other-cel/ensure-probes-different/artifacthub-pkg.yml index 933c9aafb..f90d1059f 100644 --- a/other-cel/ensure-probes-different/artifacthub-pkg.yml +++ b/other-cel/ensure-probes-different/artifacthub-pkg.yml @@ -1,21 +1,24 @@ -name: ensure-probes-different +name: ensure-probes-different-cel version: 1.0.0 -displayName: Validate Probes -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Validate Probes in CEL expressions description: >- Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/ensure-probes-different/ensure-probes-different.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/ensure-probes-different/ensure-probes-different.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 66d9c3579b90c7f462e4f87f848527f3b2860c29b4572aa81dffaa01817814aa +digest: cbafa29e49ec48f7378157f69fa77a53c07fb40dc4c542738a8f31331689f5be +createdAt: "2024-03-31T11:12:02Z" + diff --git a/other-cel/ensure-probes-different/ensure-probes-different.yaml b/other-cel/ensure-probes-different/ensure-probes-different.yaml index a1e31fce8..241ac246d 100644 --- a/other-cel/ensure-probes-different/ensure-probes-different.yaml +++ b/other-cel/ensure-probes-different/ensure-probes-different.yaml @@ -4,10 +4,11 @@ metadata: name: validate-probes annotations: pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/title: Validate Probes - policies.kyverno.io/category: Sample + policies.kyverno.io/title: Validate Probes in CEL expressions + policies.kyverno.io/category: Sample in CEL policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Liveness and readiness probes accomplish different goals, and setting both to the same @@ -15,7 +16,7 @@ metadata: checks that liveness and readiness probes are not equal. Keep in mind that if both the probes are not set, they are considered to be equal and hence fails the check. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: validate-probes @@ -27,10 +28,11 @@ spec: - DaemonSet - StatefulSet validate: - message: "Liveness and readiness probes cannot be the same." - deny: - conditions: - any: - - key: "{{ request.object.spec.template.spec.containers[?readinessProbe==livenessProbe] | length(@) }}" - operator: GreaterThan - value: 0 \ No newline at end of file + cel: + expressions: + - expression: >- + !object.spec.template.spec.containers.exists(container, + has(container.readinessProbe) && has(container.livenessProbe) && + container.readinessProbe == container.livenessProbe) + message: "Liveness and readiness probes cannot be the same." + From 7df7c8f42c2695e7990207bbf78bf0b02792f1be Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Mon, 1 Apr 2024 15:31:16 +0000 Subject: [PATCH 08/25] copy forbid-cpu-limits Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 +++++++ .../.chainsaw-test/podcontrollers-bad.yaml | 99 +++++++++++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 83 ++++++++++++++++ .../.chainsaw-test/pods-bad.yaml | 28 ++++++ .../.chainsaw-test/pods-good.yaml | 20 ++++ .../.kyverno-test/kyverno-test.yaml | 23 +++++ .../.kyverno-test/resource.yaml | 49 +++++++++ .../forbid-cpu-limits/artifacthub-pkg.yml | 22 +++++ .../forbid-cpu-limits/forbid-cpu-limits.yaml | 33 +++++++ 10 files changed, 401 insertions(+) create mode 100755 other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml create mode 100644 other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml create mode 100644 other-cel/forbid-cpu-limits/artifacthub-pkg.yml create mode 100644 other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..b96d2cb6d --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: forbid-cpu-limits +status: + ready: true diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..7f6d2df88 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: forbid-cpu-limits +spec: + steps: + - name: step-01 + try: + - apply: + file: ../forbid-cpu-limits.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: forbid-cpu-limits + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..1dad16455 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + resources: + limits: + cpu: 10m +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + - name: webserver2 + image: busybox:1.35 + resources: + limits: + cpu: 10m +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + resources: + limits: + cpu: 10m + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + - name: webserver2 + image: busybox:1.35 + resources: + limits: + cpu: 10m + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..86af67ba5 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,83 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + resources: + requests: + cpu: 10m +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + resources: + requests: + cpu: 10m + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..84a73e9da --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad01 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + limits: + cpu: 10m +--- +apiVersion: v1 +kind: Pod +metadata: + name: bad02 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + - name: webserver2 + image: busybox:1.35 + resources: + limits: + cpu: 10m \ No newline at end of file diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..b0aba2e9b --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good01 +spec: + containers: + - name: webserver1 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: good02 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m \ No newline at end of file diff --git a/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml b/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..4b56ba491 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: forbid-cpu-limits +policies: +- ../forbid-cpu-limits.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: forbid-cpu-limits + resources: + - bad01 + - bad02 + result: fail + rule: check-cpu-limits +- kind: Pod + policy: forbid-cpu-limits + resources: + - good01 + - good02 + result: pass + rule: check-cpu-limits diff --git a/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml b/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml new file mode 100644 index 000000000..bb358f2d0 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml @@ -0,0 +1,49 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad01 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + limits: + cpu: 10m +--- +apiVersion: v1 +kind: Pod +metadata: + name: bad02 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + - name: webserver2 + image: busybox:1.35 + resources: + limits: + cpu: 10m +--- +apiVersion: v1 +kind: Pod +metadata: + name: good01 +spec: + containers: + - name: webserver1 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: good02 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m diff --git a/other-cel/forbid-cpu-limits/artifacthub-pkg.yml b/other-cel/forbid-cpu-limits/artifacthub-pkg.yml new file mode 100644 index 000000000..53a8bb920 --- /dev/null +++ b/other-cel/forbid-cpu-limits/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: forbid-cpu-limits +version: 1.0.0 +displayName: Forbid CPU Limits +createdAt: "2023-07-27T20:20:04.000Z" +description: >- + Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/forbid-cpu-limits/forbid-cpu-limits.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.26" + kyverno/subject: "Pod" +digest: d83f7beccf5eacc5a32cfb36225689b76007755b2f4d04876db11f75459baa62 diff --git a/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml b/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml new file mode 100644 index 000000000..43fdcf636 --- /dev/null +++ b/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: forbid-cpu-limits + annotations: + policies.kyverno.io/title: Forbid CPU Limits + policies.kyverno.io/category: Other + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.10.0 + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/description: >- + Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving + applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not + set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. +spec: + background: true + validationFailureAction: Enforce + rules: + - name: check-cpu-limits + match: + any: + - resources: + kinds: + - Pod + validate: + message: Containers may not define CPU limits. + pattern: + spec: + containers: + - (name): "*" + =(resources): + =(limits): + X(cpu): null From c0a44b67d1bf6dc011de98f2310ac95a503fff71 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Mon, 1 Apr 2024 15:36:34 +0000 Subject: [PATCH 09/25] convert forbid-cpu-limits to cel Signed-off-by: Chandan-DK --- .../forbid-cpu-limits/artifacthub-pkg.yml | 16 ++++++------ .../forbid-cpu-limits/forbid-cpu-limits.yaml | 25 +++++++++---------- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/other-cel/forbid-cpu-limits/artifacthub-pkg.yml b/other-cel/forbid-cpu-limits/artifacthub-pkg.yml index 53a8bb920..3e86cb948 100644 --- a/other-cel/forbid-cpu-limits/artifacthub-pkg.yml +++ b/other-cel/forbid-cpu-limits/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: forbid-cpu-limits +name: forbid-cpu-limits-cel version: 1.0.0 -displayName: Forbid CPU Limits -createdAt: "2023-07-27T20:20:04.000Z" +displayName: Forbid CPU Limits in CEL expressions description: >- Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/forbid-cpu-limits/forbid-cpu-limits.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.26" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: d83f7beccf5eacc5a32cfb36225689b76007755b2f4d04876db11f75459baa62 +digest: 2865e5f92968f90e090aff597937ab7db3e3e5939c32cb84c84f881970dedae6 +createdAt: "2024-04-01T15:35:47Z" + diff --git a/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml b/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml index 43fdcf636..b94b55756 100644 --- a/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml +++ b/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml @@ -3,18 +3,18 @@ kind: ClusterPolicy metadata: name: forbid-cpu-limits annotations: - policies.kyverno.io/title: Forbid CPU Limits - policies.kyverno.io/category: Other + policies.kyverno.io/title: Forbid CPU Limits in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.10.0 - kyverno.io/kubernetes-version: "1.26" + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. spec: background: true - validationFailureAction: Enforce + validationFailureAction: Audit rules: - name: check-cpu-limits match: @@ -23,11 +23,10 @@ spec: kinds: - Pod validate: - message: Containers may not define CPU limits. - pattern: - spec: - containers: - - (name): "*" - =(resources): - =(limits): - X(cpu): null + cel: + expressions: + - expression: >- + !object.spec.containers.exists(container, + has(container.resources) && has(container.resources.limits) && has(container.resources.limits.cpu)) + message: Containers may not define CPU limits. + From bcd7bf3fdb260dce79ab4f888c4fd61b050075a3 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Mon, 1 Apr 2024 15:38:57 +0000 Subject: [PATCH 10/25] copy limit-containers-per-pod Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 ++++++++++ .../.chainsaw-test/pod-bad.yaml | 16 ++++ .../.chainsaw-test/pod-good.yaml | 25 +++++++ .../.chainsaw-test/podcontroller-bad.yaml | 51 +++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 47 ++++++++++++ .../.kyverno-test/kyverno-test.yaml | 33 ++++++++ .../.kyverno-test/resource.yaml | 75 +++++++++++++++++++ .../artifacthub-pkg.yml | 21 ++++++ .../limit-containers-per-pod.yaml | 40 ++++++++++ 10 files changed, 352 insertions(+) create mode 100755 other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml create mode 100644 other-cel/limit-containers-per-pod/artifacthub-pkg.yml create mode 100644 other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..33f4a1654 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-containers-per-pod +status: + ready: true diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..3578a47c1 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: limit-containers-per-pod +spec: + steps: + - name: step-01 + try: + - apply: + file: ../limit-containers-per-pod.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: limit-containers-per-pod + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..fe98f797b --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: pod01 + image: busybox:1.35 + - name: pod02 + image: busybox:1.35 + - name: pod03 + image: busybox:1.35 + - name: pod04 + image: busybox:1.35 + - name: pod05 + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..6e09c3e46 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: pod01 + image: busybox:1.35 + - name: pod02 + image: busybox:1.35 + - name: pod03 + image: busybox:1.35 + - name: pod04 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: pod01 + image: busybox:1.35 + - name: pod02 + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..114495014 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox:1.35 + - name: bb04 + image: busybox:1.35 + - name: bb05 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox:1.35 + - name: bb04 + image: busybox:1.35 + - name: bb05 + image: busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..44639a82d --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox:1.35 + - name: bb04 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox:1.35 + - name: bb04 + image: busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml b/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..2e2681721 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,33 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit-containers-per-pod +policies: +- ../limit-containers-per-pod.yaml +resources: +- resource.yaml +results: +- kind: CronJob + policy: limit-containers-per-pod + resources: + - mycronjob + result: fail + rule: autogen-cronjob-limit-containers-per-pod +- kind: Deployment + policy: limit-containers-per-pod + resources: + - mydeploy + result: pass + rule: autogen-limit-containers-per-pod +- kind: Pod + policy: limit-containers-per-pod + resources: + - myapp-pod-2 + result: fail + rule: limit-containers-per-pod +- kind: Pod + policy: limit-containers-per-pod + resources: + - myapp-pod-1 + result: pass + rule: limit-containers-per-pod diff --git a/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml b/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml new file mode 100644 index 000000000..e69fb5b5f --- /dev/null +++ b/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod-1 + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx:latest + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod-2 + labels: + app: myapp +spec: + containers: + - name: nginx1 + image: nginx:latest + - name: nginx2 + image: nginx:latest + - name: nginx3 + image: nginx:latest + - name: nginx4 + image: nginx:latest + - name: nginx5 + image: nginx:latest + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy +spec: + replicas: 2 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 + +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: mycronjob +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello1 + image: busybox + - name: hello2 + image: busybox + - name: hello3 + image: busybox + - name: hello4 + image: busybox + - name: hello5 + image: busybox + restartPolicy: OnFailure diff --git a/other-cel/limit-containers-per-pod/artifacthub-pkg.yml b/other-cel/limit-containers-per-pod/artifacthub-pkg.yml new file mode 100644 index 000000000..52beb9890 --- /dev/null +++ b/other-cel/limit-containers-per-pod/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: limit-containers-per-pod +version: 1.0.0 +displayName: Limit Containers per Pod +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + Pods can have many different containers which are tightly coupled. It may be desirable to limit the amount of containers that can be in a single Pod to control best practice application or so policy can be applied consistently. This policy checks all Pods to ensure they have no more than four containers. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/limit-containers-per-pod/limit-containers-per-pod.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + Pods can have many different containers which are tightly coupled. It may be desirable to limit the amount of containers that can be in a single Pod to control best practice application or so policy can be applied consistently. This policy checks all Pods to ensure they have no more than four containers. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: 375b0ea0b5a26365b69af559cbbda54c352e8a13c838fdbbdcb9d3f01b4941e9 diff --git a/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml b/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml new file mode 100644 index 000000000..c5fc9bd72 --- /dev/null +++ b/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-containers-per-pod + annotations: + policies.kyverno.io/title: Limit Containers per Pod + policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Pods can have many different containers which + are tightly coupled. It may be desirable to limit the amount of containers that + can be in a single Pod to control best practice application or so policy can + be applied consistently. This policy checks all Pods to ensure they have + no more than four containers. +spec: + validationFailureAction: audit + background: false + rules: + - name: limit-containers-per-pod + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.operation || 'BACKGROUND'}}" + operator: AnyIn + value: + - CREATE + - UPDATE + validate: + message: "Pods can only have a maximum of 4 containers." + deny: + conditions: + any: + - key: "{{request.object.spec.containers[] | length(@)}}" + operator: GreaterThan + value: "4" \ No newline at end of file From e3b216eddf5fcb046b4b878c5cdae01db11a0d05 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Mon, 1 Apr 2024 15:52:09 +0000 Subject: [PATCH 11/25] convert limit-containers-per-pod to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++---- .../limit-containers-per-pod.yaml | 28 +++++++------------ 2 files changed, 19 insertions(+), 24 deletions(-) diff --git a/other-cel/limit-containers-per-pod/artifacthub-pkg.yml b/other-cel/limit-containers-per-pod/artifacthub-pkg.yml index 52beb9890..92aa34409 100644 --- a/other-cel/limit-containers-per-pod/artifacthub-pkg.yml +++ b/other-cel/limit-containers-per-pod/artifacthub-pkg.yml @@ -1,21 +1,24 @@ -name: limit-containers-per-pod +name: limit-containers-per-pod-cel version: 1.0.0 -displayName: Limit Containers per Pod -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Limit Containers per Pod in CEL expressions description: >- Pods can have many different containers which are tightly coupled. It may be desirable to limit the amount of containers that can be in a single Pod to control best practice application or so policy can be applied consistently. This policy checks all Pods to ensure they have no more than four containers. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/limit-containers-per-pod/limit-containers-per-pod.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | Pods can have many different containers which are tightly coupled. It may be desirable to limit the amount of containers that can be in a single Pod to control best practice application or so policy can be applied consistently. This policy checks all Pods to ensure they have no more than four containers. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 375b0ea0b5a26365b69af559cbbda54c352e8a13c838fdbbdcb9d3f01b4941e9 +digest: 7916672ede794217fb00144785594818cbb66f409c1d2f0d513cfeb944e92ed1 +createdAt: "2024-04-01T15:48:55Z" + diff --git a/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml b/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml index c5fc9bd72..022377acc 100644 --- a/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml +++ b/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml @@ -3,9 +3,10 @@ kind: ClusterPolicy metadata: name: limit-containers-per-pod annotations: - policies.kyverno.io/title: Limit Containers per Pod - policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/title: Limit Containers per Pod in CEL expressions + policies.kyverno.io/category: Sample in CEL + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Pods can have many different containers which @@ -14,7 +15,7 @@ metadata: be applied consistently. This policy checks all Pods to ensure they have no more than four containers. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: limit-containers-per-pod @@ -23,18 +24,9 @@ spec: - resources: kinds: - Pod - preconditions: - all: - - key: "{{request.operation || 'BACKGROUND'}}" - operator: AnyIn - value: - - CREATE - - UPDATE validate: - message: "Pods can only have a maximum of 4 containers." - deny: - conditions: - any: - - key: "{{request.object.spec.containers[] | length(@)}}" - operator: GreaterThan - value: "4" \ No newline at end of file + cel: + expressions: + - expression: "size(object.spec.containers) <= 4" + message: "Pods can only have a maximum of 4 containers." + From 6e3ea376349ed4830ea1e26e262f800f84681d94 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 2 Apr 2024 18:26:30 +0000 Subject: [PATCH 12/25] copy pdb-maxunavailable Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../.chainsaw-test/chainsaw-test.yaml | 31 ++++++++++++++ .../.chainsaw-test/pdb-bad.yaml | 6 +++ .../.chainsaw-test/pdb-good.yaml | 13 ++++++ .../.kyverno-test/kyverno-test.yaml | 23 ++++++++++ .../.kyverno-test/resource.yaml | 42 +++++++++++++++++++ .../pdb-maxunavailable/artifacthub-pkg.yml | 22 ++++++++++ .../pdb-maxunavailable.yaml | 30 +++++++++++++ 8 files changed, 173 insertions(+) create mode 100755 other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml create mode 100644 other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml create mode 100644 other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml create mode 100644 other-cel/pdb-maxunavailable/artifacthub-pkg.yml create mode 100644 other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..5cdc2b1cc --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pdb-maxunavailable +status: + ready: true diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..506f80b2e --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: pdb-maxunavailable +spec: + steps: + - name: step-01 + try: + - apply: + file: ../pdb-maxunavailable.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: pdb-maxunavailable + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pdb-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pdb-bad.yaml diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml new file mode 100644 index 000000000..3856659ef --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml @@ -0,0 +1,6 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: badpdb01 +spec: + maxUnavailable: 0 \ No newline at end of file diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml new file mode 100644 index 000000000..44d7a816c --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml @@ -0,0 +1,13 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: goodpdb01 +spec: + minAvailable: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: goodpdb02 +spec: + maxUnavailable: 1 \ No newline at end of file diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..de54dcca9 --- /dev/null +++ b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pdb-maxunavailable +policies: +- ../pdb-maxunavailable.yaml +resources: +- resource.yaml +results: +- kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - kube-system/bad-pdb-zero + - kube-system/bad-pdb-negative-one + result: fail + rule: pdb-maxunavailable +- kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - kube-system/good-pdb + - kube-system/good-pdb-none + result: pass + rule: pdb-maxunavailable diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml new file mode 100644 index 000000000..8b4f7cbf0 --- /dev/null +++ b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml @@ -0,0 +1,42 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: good-pdb + namespace: kube-system +spec: + maxUnavailable: 2 + selector: + matchLabels: + app: good +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: good-pdb-none + namespace: kube-system +spec: + selector: + matchLabels: + app: good +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: bad-pdb-zero + namespace: kube-system +spec: + maxUnavailable: 0 + selector: + matchLabels: + app: bad +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: bad-pdb-negative-one + namespace: kube-system +spec: + maxUnavailable: -1 + selector: + matchLabels: + app: bad diff --git a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml new file mode 100644 index 000000000..6c0ffacd2 --- /dev/null +++ b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: pdb-maxunavailable +version: 1.0.0 +displayName: PodDisruptionBudget maxUnavailable Non-Zero +createdAt: "2023-04-10T20:30:05.000Z" +description: >- + A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/pdb-maxunavailable/pdb-maxunavailable.yaml + ``` +keywords: + - kyverno + - Other +readme: | + A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "PodDisruptionBudget" +digest: d7acf0213b5530e922ca29674342a359b09e0b34afded7c321363e4c6f45a84c diff --git a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml new file mode 100644 index 000000000..b26a8c354 --- /dev/null +++ b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pdb-maxunavailable + annotations: + policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero + policies.kyverno.io/category: Other + kyverno.io/kyverno-version: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: PodDisruptionBudget + policies.kyverno.io/description: >- + A PodDisruptionBudget which sets its maxUnavailable value to zero prevents + all voluntary evictions including Node drains which may impact maintenance tasks. + This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field + it must be greater than zero. +spec: + validationFailureAction: audit + background: false + rules: + - name: pdb-maxunavailable + match: + any: + - resources: + kinds: + - PodDisruptionBudget + validate: + message: "The value of maxUnavailable must be greater than zero." + pattern: + spec: + =(maxUnavailable): ">0" \ No newline at end of file From bbc2c3361c370fc13d768f0e8048101c97ffd69f Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 2 Apr 2024 18:29:36 +0000 Subject: [PATCH 13/25] convert pdb-maxunavailable to cel Signed-off-by: Chandan-DK --- .../pdb-maxunavailable/artifacthub-pkg.yml | 15 ++++++++------- .../pdb-maxunavailable.yaml | 19 ++++++++++--------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml index 6c0ffacd2..f24bd3332 100644 --- a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml +++ b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: pdb-maxunavailable +name: pdb-maxunavailable-cel version: 1.0.0 -displayName: PodDisruptionBudget maxUnavailable Non-Zero -createdAt: "2023-04-10T20:30:05.000Z" +displayName: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions description: >- A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/pdb-maxunavailable/pdb-maxunavailable.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.24" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "PodDisruptionBudget" -digest: d7acf0213b5530e922ca29674342a359b09e0b34afded7c321363e4c6f45a84c +digest: 7dff4f3801bce1ca8835c5ebcadaa78e1fa41480a19958eb78aee5bbfcd6b8bf +createdAt: "2024-04-02T18:28:57Z" diff --git a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml index b26a8c354..4c2da59ae 100644 --- a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml +++ b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml @@ -3,10 +3,10 @@ kind: ClusterPolicy metadata: name: pdb-maxunavailable annotations: - policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero - policies.kyverno.io/category: Other - kyverno.io/kyverno-version: 1.9.0 - kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions + policies.kyverno.io/category: Other in CEL + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: PodDisruptionBudget policies.kyverno.io/description: >- A PodDisruptionBudget which sets its maxUnavailable value to zero prevents @@ -14,7 +14,7 @@ metadata: This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: pdb-maxunavailable @@ -24,7 +24,8 @@ spec: kinds: - PodDisruptionBudget validate: - message: "The value of maxUnavailable must be greater than zero." - pattern: - spec: - =(maxUnavailable): ">0" \ No newline at end of file + cel: + expressions: + - expression: "!has(object.spec.maxUnavailable) || int(object.spec.maxUnavailable) > 0" + message: "The value of maxUnavailable must be greater than zero." + From 84630b5dfe0e7884fe386e22009eb5c1e81d657c Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 3 Apr 2024 16:52:08 +0000 Subject: [PATCH 14/25] keep pdb-maxunavailable in a separate PR Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 --- .../.chainsaw-test/chainsaw-test.yaml | 31 -------------- .../.chainsaw-test/pdb-bad.yaml | 6 --- .../.chainsaw-test/pdb-good.yaml | 13 ------ .../.kyverno-test/kyverno-test.yaml | 23 ---------- .../.kyverno-test/resource.yaml | 42 ------------------- .../pdb-maxunavailable/artifacthub-pkg.yml | 23 ---------- .../pdb-maxunavailable.yaml | 31 -------------- 8 files changed, 175 deletions(-) delete mode 100755 other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml delete mode 100755 other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml delete mode 100644 other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml delete mode 100644 other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml delete mode 100644 other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml delete mode 100644 other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml delete mode 100644 other-cel/pdb-maxunavailable/artifacthub-pkg.yml delete mode 100644 other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index 5cdc2b1cc..000000000 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: pdb-maxunavailable -status: - ready: true diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 506f80b2e..000000000 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: pdb-maxunavailable -spec: - steps: - - name: step-01 - try: - - apply: - file: ../pdb-maxunavailable.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: pdb-maxunavailable - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: pdb-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pdb-bad.yaml diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml deleted file mode 100644 index 3856659ef..000000000 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: badpdb01 -spec: - maxUnavailable: 0 \ No newline at end of file diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml deleted file mode 100644 index 44d7a816c..000000000 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: goodpdb01 -spec: - minAvailable: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: goodpdb02 -spec: - maxUnavailable: 1 \ No newline at end of file diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index de54dcca9..000000000 --- a/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: pdb-maxunavailable -policies: -- ../pdb-maxunavailable.yaml -resources: -- resource.yaml -results: -- kind: PodDisruptionBudget - policy: pdb-maxunavailable - resources: - - kube-system/bad-pdb-zero - - kube-system/bad-pdb-negative-one - result: fail - rule: pdb-maxunavailable -- kind: PodDisruptionBudget - policy: pdb-maxunavailable - resources: - - kube-system/good-pdb - - kube-system/good-pdb-none - result: pass - rule: pdb-maxunavailable diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml deleted file mode 100644 index 8b4f7cbf0..000000000 --- a/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-pdb - namespace: kube-system -spec: - maxUnavailable: 2 - selector: - matchLabels: - app: good ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-pdb-none - namespace: kube-system -spec: - selector: - matchLabels: - app: good ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-pdb-zero - namespace: kube-system -spec: - maxUnavailable: 0 - selector: - matchLabels: - app: bad ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-pdb-negative-one - namespace: kube-system -spec: - maxUnavailable: -1 - selector: - matchLabels: - app: bad diff --git a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml deleted file mode 100644 index f24bd3332..000000000 --- a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: pdb-maxunavailable-cel -version: 1.0.0 -displayName: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions -description: >- - A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "PodDisruptionBudget" -digest: 7dff4f3801bce1ca8835c5ebcadaa78e1fa41480a19958eb78aee5bbfcd6b8bf -createdAt: "2024-04-02T18:28:57Z" diff --git a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml deleted file mode 100644 index 4c2da59ae..000000000 --- a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: pdb-maxunavailable - annotations: - policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions - policies.kyverno.io/category: Other in CEL - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: PodDisruptionBudget - policies.kyverno.io/description: >- - A PodDisruptionBudget which sets its maxUnavailable value to zero prevents - all voluntary evictions including Node drains which may impact maintenance tasks. - This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field - it must be greater than zero. -spec: - validationFailureAction: Audit - background: false - rules: - - name: pdb-maxunavailable - match: - any: - - resources: - kinds: - - PodDisruptionBudget - validate: - cel: - expressions: - - expression: "!has(object.spec.maxUnavailable) || int(object.spec.maxUnavailable) > 0" - message: "The value of maxUnavailable must be greater than zero." - From 18235cd2bab64f3f210c07c45284466e72354e3e Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 3 Apr 2024 16:56:00 +0000 Subject: [PATCH 15/25] copy imagepullpolicy-always Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 +++++++++++ .../.chainsaw-test/pod-bad.yaml | 44 +++++++++++++ .../.chainsaw-test/pod-good.yaml | 61 +++++++++++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 47 +++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 43 ++++++++++++ .../.kyverno-test/kyverno-test.yaml | 33 ++++++++++ .../.kyverno-test/resource.yaml | 66 +++++++++++++++++++ .../artifacthub-pkg.yml | 21 ++++++ .../imagepullpolicy-always.yaml | 33 ++++++++++ 10 files changed, 392 insertions(+) create mode 100755 other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml create mode 100644 other-cel/imagepullpolicy-always/artifacthub-pkg.yml create mode 100644 other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..adbe3c664 --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: imagepullpolicy-always +status: + ready: true diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..57afc7d19 --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: imagepullpolicy-always +spec: + steps: + - name: step-01 + try: + - apply: + file: ../imagepullpolicy-always.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: imagepullpolicy-always + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..eb6883232 --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Never +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: pod01 + image: busybox + imagePullPolicy: IfNotPresent +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Always + - name: pod02 + image: busybox:latest + imagePullPolicy: IfNotPresent +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Never + - name: pod02 + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..65f5d474f --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: pod01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: pod01 + image: busybox # by default, imagePullPolicy: Always +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: pod01 + image: busybox:latest # by default, imagePullPolicy: Always +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Always +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Always + - name: pod02 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: pod01 + image: busybox:1.35 + imagePullPolicy: IfNotPresent + - name: pod02 + image: busybox:latest + imagePullPolicy: Always \ No newline at end of file diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..770e5393e --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:latest + imagePullPolicy: Never + - name: bb03 + image: busybox + imagePullPolicy: IfNotPresent +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: bb01 + image: busybox:latest + imagePullPolicy: Never + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox + imagePullPolicy: IfNotPresent + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..4499d5b17 --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:latest + - name: bb03 + image: busybox +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:latest + - name: bb03 + image: busybox + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..252cf757a --- /dev/null +++ b/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,33 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: imagepullpolicy-always +policies: +- ../imagepullpolicy-always.yaml +resources: +- resource.yaml +results: +- kind: Deployment + policy: imagepullpolicy-always + resources: + - mydeploy1 + result: fail + rule: imagepullpolicy-always +- kind: Pod + policy: imagepullpolicy-always + resources: + - myapp-pod-2 + result: fail + rule: imagepullpolicy-always +- kind: Deployment + policy: imagepullpolicy-always + resources: + - mydeploy2 + result: pass + rule: imagepullpolicy-always +- kind: Pod + policy: imagepullpolicy-always + resources: + - myapp-pod-1 + result: pass + rule: imagepullpolicy-always diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml new file mode 100644 index 000000000..e19c69e2e --- /dev/null +++ b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml @@ -0,0 +1,66 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod-1 + labels: + app: myapp-1 +spec: + containers: + - name: nginx + image: nginx:latest + imagePullPolicy: "Always" + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod-2 + labels: + app: myapp-2 +spec: + containers: + - name: nginx + image: nginx:latest + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy1 +spec: + replicas: 2 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy2 +spec: + replicas: 2 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: nginx + image: nginx + imagePullPolicy: "Always" + ports: + - containerPort: 80 \ No newline at end of file diff --git a/other-cel/imagepullpolicy-always/artifacthub-pkg.yml b/other-cel/imagepullpolicy-always/artifacthub-pkg.yml new file mode 100644 index 000000000..a88ed1308 --- /dev/null +++ b/other-cel/imagepullpolicy-always/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: imagepullpolicy-always +version: 1.0.0 +displayName: Require imagePullPolicy Always +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/imagepullpolicy-always/imagepullpolicy-always.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: 6c540bf67eeab51987b0021acffd73333d5eff22f14e10204b8c2c543222758d diff --git a/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml b/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml new file mode 100644 index 000000000..874c8ce01 --- /dev/null +++ b/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: imagepullpolicy-always + annotations: + policies.kyverno.io/title: Require imagePullPolicy Always + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + If the `latest` tag is allowed for images, it is a good idea to have the + imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future + pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` + when the `latest` tag is specified explicitly or where a tag is not defined at all. +spec: + validationFailureAction: audit + background: true + rules: + - name: imagepullpolicy-always + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + The imagePullPolicy must be set to `Always` when the tag `latest` is used. + pattern: + spec: + containers: + - (image): "*:latest | !*:*" + imagePullPolicy: "Always" \ No newline at end of file From 4b6c0a0470eb97d746a6d56252656255631c6107 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 3 Apr 2024 17:46:58 +0000 Subject: [PATCH 16/25] convert imagepullpolicy-always to cel Signed-off-by: Chandan-DK --- .../.kyverno-test/resource.yaml | 3 ++- .../artifacthub-pkg.yml | 15 ++++++----- .../imagepullpolicy-always.yaml | 25 +++++++++++-------- 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml index e19c69e2e..ec227dcc3 100644 --- a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml +++ b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml @@ -21,7 +21,7 @@ spec: containers: - name: nginx image: nginx:latest - + imagePullPolicy: "IfNotPresent" --- apiVersion: apps/v1 kind: Deployment @@ -40,6 +40,7 @@ spec: containers: - name: nginx image: nginx + imagePullPolicy: "IfNotPresent" ports: - containerPort: 80 diff --git a/other-cel/imagepullpolicy-always/artifacthub-pkg.yml b/other-cel/imagepullpolicy-always/artifacthub-pkg.yml index a88ed1308..53537fb8b 100644 --- a/other-cel/imagepullpolicy-always/artifacthub-pkg.yml +++ b/other-cel/imagepullpolicy-always/artifacthub-pkg.yml @@ -1,21 +1,24 @@ -name: imagepullpolicy-always +name: imagepullpolicy-always-cel version: 1.0.0 -displayName: Require imagePullPolicy Always -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Require imagePullPolicy Always in CEL expressions description: >- If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/imagepullpolicy-always/imagepullpolicy-always.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 6c540bf67eeab51987b0021acffd73333d5eff22f14e10204b8c2c543222758d +digest: a6708df7cd59fcd4dc4f764ff01541940f39eca5d4ddffd9529d83090e511b47 +createdAt: "2024-04-03T17:41:38Z" + diff --git a/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml b/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml index 874c8ce01..951d07495 100644 --- a/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml +++ b/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml @@ -3,18 +3,19 @@ kind: ClusterPolicy metadata: name: imagepullpolicy-always annotations: - policies.kyverno.io/title: Require imagePullPolicy Always - policies.kyverno.io/category: Sample + policies.kyverno.io/title: Require imagePullPolicy Always in CEL expressions + policies.kyverno.io/category: Sample in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: imagepullpolicy-always @@ -24,10 +25,12 @@ spec: kinds: - Pod validate: - message: >- - The imagePullPolicy must be set to `Always` when the tag `latest` is used. - pattern: - spec: - containers: - - (image): "*:latest | !*:*" - imagePullPolicy: "Always" \ No newline at end of file + cel: + expressions: + - expression: >- + object.spec.containers.all(container, + (container.image.endsWith(':latest') || !container.image.contains(':')) ? + container.imagePullPolicy == 'Always' : true) + message: >- + The imagePullPolicy must be set to `Always` when the tag `latest` is used. + From c97304e6e877e6082d9a586065fc0a27cc2719ef Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 4 Apr 2024 17:28:25 +0000 Subject: [PATCH 17/25] copy limit-hostpath-type-pv Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../.chainsaw-test/chainsaw-test.yaml | 31 +++++++++++++++ .../.chainsaw-test/pv-bad.yaml | 31 +++++++++++++++ .../.chainsaw-test/pv-good.yaml | 31 +++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 21 ++++++++++ .../.kyverno-test/resource.yaml | 31 +++++++++++++++ .../artifacthub-pkg.yml | 21 ++++++++++ .../limit-hostpath-type-pv.yaml | 38 +++++++++++++++++++ 8 files changed, 210 insertions(+) create mode 100755 other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml create mode 100644 other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml create mode 100644 other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml create mode 100644 other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml create mode 100644 other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..3f396191b --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-hostpath-type-pv +status: + ready: true diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..101cae9ad --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: limit-hostpath-type-pv +spec: + steps: + - name: step-01 + try: + - apply: + file: ../limit-hostpath-type-pv.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: limit-hostpath-type-pv + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pv-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pv-bad.yaml diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml new file mode 100644 index 000000000..053d7a6ad --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: bad-pv01 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/etc" +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: bad-pv02 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/etc/data/home" diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml new file mode 100644 index 000000000..03d1a4d6e --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: good-pv01 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/data" +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: good-pv02 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/data/home" \ No newline at end of file diff --git a/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml b/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..903d1cae6 --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit-hostpath-type-pv +policies: +- ../limit-hostpath-type-pv.yaml +resources: +- resource.yaml +results: +- kind: PersistentVolume + policy: limit-hostpath-type-pv + resources: + - bad-pv + result: fail + rule: limit-hostpath-type-pv-to-slash-data +- kind: PersistentVolume + policy: limit-hostpath-type-pv + resources: + - good-pv + result: pass + rule: limit-hostpath-type-pv-to-slash-data diff --git a/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml b/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml new file mode 100644 index 000000000..1ae2492bd --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: good-pv + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/data" +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: bad-pv + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/etc" diff --git a/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml b/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml new file mode 100644 index 000000000..7dac0b038 --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: limit-hostpath-type-pv +version: 1.0.0 +displayName: Limit hostPath PersistentVolumes to Specific Directories +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml + ``` +keywords: + - kyverno + - Other +readme: | + hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/subject: "PersistentVolume" +digest: 1c17b81f546a6aef28cbd0d514baa157df7a955a5587db9dd148a0f35f6aa7ee diff --git a/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml b/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml new file mode 100644 index 000000000..5aa7ec51d --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-hostpath-type-pv + annotations: + policies.kyverno.io/title: Limit hostPath PersistentVolumes to Specific Directories + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: PersistentVolume + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes + are not to be universally disabled, they should be restricted to only certain + host paths so as not to allow access to sensitive information. This policy ensures + the only directory that can be mounted as a hostPath volume is /data. +spec: + background: false + validationFailureAction: audit + rules: + - name: limit-hostpath-type-pv-to-slash-data + match: + any: + - resources: + kinds: + - PersistentVolume + preconditions: + all: + - key: "{{request.operation || 'BACKGROUND'}}" + operator: AnyIn + value: + - CREATE + - UPDATE + validate: + message: hostPath type persistent volumes are confined to /data. + pattern: + spec: + =(hostPath): + path: /data* From 22509cb1cb69f7b73bcbfb078d78db30c750eaa3 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 4 Apr 2024 17:37:56 +0000 Subject: [PATCH 18/25] convert limit-hostpath-type-pv to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 14 +++++----- .../limit-hostpath-type-pv.yaml | 26 +++++++------------ 2 files changed, 18 insertions(+), 22 deletions(-) diff --git a/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml b/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml index 7dac0b038..acaf10931 100644 --- a/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml +++ b/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml @@ -1,21 +1,23 @@ -name: limit-hostpath-type-pv +name: limit-hostpath-type-pv-cel version: 1.0.0 -displayName: Limit hostPath PersistentVolumes to Specific Directories -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Limit hostPath PersistentVolumes to Specific Directories in CEL expressions description: >- hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "PersistentVolume" -digest: 1c17b81f546a6aef28cbd0d514baa157df7a955a5587db9dd148a0f35f6aa7ee +digest: 981a66b5f77de02d3f6623b49c02421dd1adf4e9882d96a2e0219de9dba52672 +createdAt: "2024-04-04T17:35:35Z" diff --git a/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml b/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml index 5aa7ec51d..6004e0e42 100644 --- a/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml +++ b/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml @@ -3,11 +3,12 @@ kind: ClusterPolicy metadata: name: limit-hostpath-type-pv annotations: - policies.kyverno.io/title: Limit hostPath PersistentVolumes to Specific Directories - policies.kyverno.io/category: Other + policies.kyverno.io/title: Limit hostPath PersistentVolumes to Specific Directories in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: PersistentVolume - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain @@ -15,7 +16,7 @@ metadata: the only directory that can be mounted as a hostPath volume is /data. spec: background: false - validationFailureAction: audit + validationFailureAction: Audit rules: - name: limit-hostpath-type-pv-to-slash-data match: @@ -23,16 +24,9 @@ spec: - resources: kinds: - PersistentVolume - preconditions: - all: - - key: "{{request.operation || 'BACKGROUND'}}" - operator: AnyIn - value: - - CREATE - - UPDATE validate: - message: hostPath type persistent volumes are confined to /data. - pattern: - spec: - =(hostPath): - path: /data* + cel: + expressions: + - expression: "!has(object.spec.hostPath) || object.spec.hostPath.path.startsWith('/data')" + message: hostPath type persistent volumes are confined to /data. + From fc6223c9d3a69d334e631170f16aa023c1d54ef0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 5 Apr 2024 17:35:41 +0000 Subject: [PATCH 19/25] copy ensure-readonly-hostpath Signed-off-by: Chandan-DK --- .../.chainsaw-test/bad-pod-02.yaml | 16 ++++ .../.chainsaw-test/bad-pod-03.yaml | 21 ++++++ .../.chainsaw-test/bad-pod-04.yaml | 22 ++++++ .../.chainsaw-test/bad-pod-05.yaml | 27 +++++++ .../.chainsaw-test/bad-pods-all.yaml | 39 ++++++++++ .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 65 ++++++++++++++++ .../.chainsaw-test/good-pods-all.yaml | 36 +++++++++ .../.chainsaw-test/podcontrollers-bad.yaml | 74 +++++++++++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 74 +++++++++++++++++++ .../.chainsaw-test/pods-bad.yaml | 26 +++++++ .../.chainsaw-test/pods-good.yaml | 26 +++++++ .../.kyverno-test/bad-pod-01.yaml | 15 ++++ .../.kyverno-test/good-pod-01.yaml | 16 ++++ .../.kyverno-test/kyverno-test.yaml | 23 ++++++ .../.kyverno-test/values.yaml | 8 ++ .../artifacthub-pkg.yml | 22 ++++++ .../ensure-readonly-hostpath.yaml | 52 +++++++++++++ 18 files changed, 568 insertions(+) create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml create mode 100755 other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.kyverno-test/values.yaml create mode 100644 other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml create mode 100644 other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml new file mode 100644 index 000000000..beaaf4b59 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-02 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: false + volumes: + - name: foo + hostPath: + path: /var/log \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml new file mode 100644 index 000000000..91629aa37 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-03 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /etc + name: bar + volumes: + - name: foo + hostPath: + path: /var/log + - name: bar + hostPath: + path: /etc \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml new file mode 100644 index 000000000..e67aca6c7 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-04 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /etc + name: bar + readOnly: false + volumes: + - name: foo + hostPath: + path: /var/log + - name: bar + hostPath: + path: /etc \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml new file mode 100644 index 000000000..b1923c5d8 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-05 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /etc + name: bar + - name: test-webserver02 + image: sjbonmqopcta:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + - name: bar + hostPath: + path: /etc \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml new file mode 100644 index 000000000..7104c5947 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pods-all +spec: + ephemeralContainers: + - name: ephemtest-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: false + initContainers: + - name: inittest-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: bar + readOnly: true + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - name: test-webserver02 + image: sjbonmqopcta:latest + volumeMounts: + - mountPath: /some/dir + name: bar + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + - name: bar + hostPath: + path: /etc \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..9668eb938 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ensure-readonly-hostpath +status: + ready: true diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..5fe35235e --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,65 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: ensure-readonly-hostpath +spec: + steps: + - name: step-01 + try: + - apply: + file: ../ensure-readonly-hostpath.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: ensure-readonly-hostpath + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + file: ../.kyverno-test/good-pod-01.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../.kyverno-test/bad-pod-01.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-02.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-03.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-04.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-05.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml new file mode 100644 index 000000000..2b291bf72 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pods-all +spec: + ephemeralContainers: + - name: ephemtest-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + initContainers: + - name: inittest-webserver + image: fjtyonaq:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - name: test-webserver02 + image: sjbonmqopcta:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..be0eb2e1f --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,74 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: false + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: false + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..ca7f558d4 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,74 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: true + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: true + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..9430edd30 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: false + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..584c6ce57 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: true + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml new file mode 100644 index 000000000..818c55632 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-01 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + volumes: + - name: foo + hostPath: + path: /var/log \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml new file mode 100644 index 000000000..81e3eb5a6 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-01 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log \ No newline at end of file diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..7d60a8bd8 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ensure-readonly-hostpath +policies: +- ../ensure-readonly-hostpath.yaml +resources: +- good-pod-01.yaml +- bad-pod-01.yaml +results: +- kind: Pod + policy: ensure-readonly-hostpath + resources: + - bad-pod-01 + result: fail + rule: ensure-hostpaths-readonly +- kind: Pod + policy: ensure-readonly-hostpath + resources: + - good-pod-01 + result: pass + rule: ensure-hostpaths-readonly +variables: values.yaml diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/values.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/values.yaml new file mode 100644 index 000000000..3026f517a --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/values.yaml @@ -0,0 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +policies: +- name: ensure-readonly-hostpath + resources: + - name: good-pod-01 + values: + request.operation: UPDATE diff --git a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml new file mode 100644 index 000000000..c4f72ff42 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: ensure-readonly-hostpath +version: 1.0.0 +displayName: Ensure Read Only hostPath +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines (see https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only mode. This policy checks all containers for any hostPath volumes and ensures they are explicitly mounted in readOnly mode. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines (see https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only mode. This policy checks all containers for any hostPath volumes and ensures they are explicitly mounted in readOnly mode. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: f0e22c25527bc05172373d719f5ffd924c155c68edf62a6ff2650633e1ce2f2b diff --git a/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml b/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml new file mode 100644 index 000000000..cc1e68891 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml @@ -0,0 +1,52 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ensure-readonly-hostpath + annotations: + policies.kyverno.io/title: Ensure Read Only hostPath + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.6.2 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk + even if confined to a "safe" file system on the host and may escape those confines (see + https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way + to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only + mode. This policy checks all containers for any hostPath volumes and ensures they are + explicitly mounted in readOnly mode. +spec: + background: false + validationFailureAction: audit + rules: + - name: ensure-hostpaths-readonly + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: AnyIn + value: + - CREATE + - UPDATE + validate: + message: All hostPath volumes must be mounted as readOnly. + foreach: + # Fetch all volumes in the Pod which are a hostPath. Store the names in an array. There could be multiple in a Pod so can't assume just one. + - list: "request.object.spec.volumes[?hostPath][]" + deny: + conditions: + # For every name found for a hostPath volume (stored as `{{element}}`), check all containers, initContainers, and ephemeralContainers which mount this volume and + # total up the number of them. Compare that to the ones with that same name which explicitly specify that `readOnly: true`. If these two + # counts aren't equal, deny the Pod because at least one is attempting to mount that hostPath in read/write mode. Note that the absence of + # the `readOnly: true` field implies read/write access. Therefore, every hostPath volume must explicitly specify that it should be mounted + # in readOnly mode, regardless of where that occurs in a Pod. + any: + - key: "{{ request.object.spec.[containers, initContainers, ephemeralContainers][].volumeMounts[?name == '{{element.name}}'][] | length(@) }}" + operator: NotEquals + value: "{{ request.object.spec.[containers, initContainers, ephemeralContainers][].volumeMounts[?name == '{{element.name}}' && readOnly] [] | length(@) }}" \ No newline at end of file From 00115bb75faffec05275fec4376f22e8d1e17a29 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 5 Apr 2024 17:39:51 +0000 Subject: [PATCH 20/25] convert ensure-readonly-hostpath to cel Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 2 +- .../.kyverno-test/values.yaml | 8 ---- .../artifacthub-pkg.yml | 15 +++--- .../ensure-readonly-hostpath.yaml | 47 ++++++++----------- 4 files changed, 28 insertions(+), 44 deletions(-) delete mode 100644 other-cel/ensure-readonly-hostpath/.kyverno-test/values.yaml diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml index 7d60a8bd8..e37b5e0c3 100644 --- a/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml @@ -20,4 +20,4 @@ results: - good-pod-01 result: pass rule: ensure-hostpaths-readonly -variables: values.yaml + diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/values.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/values.yaml deleted file mode 100644 index 3026f517a..000000000 --- a/other-cel/ensure-readonly-hostpath/.kyverno-test/values.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Values -policies: -- name: ensure-readonly-hostpath - resources: - - name: good-pod-01 - values: - request.operation: UPDATE diff --git a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml index c4f72ff42..9db0dd388 100644 --- a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml +++ b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: ensure-readonly-hostpath +name: ensure-readonly-hostpath-cel version: 1.0.0 -displayName: Ensure Read Only hostPath -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Ensure Read Only hostPath in CEL expressions description: >- Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines (see https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only mode. This policy checks all containers for any hostPath volumes and ensures they are explicitly mounted in readOnly mode. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines (see https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only mode. This policy checks all containers for any hostPath volumes and ensures they are explicitly mounted in readOnly mode. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: f0e22c25527bc05172373d719f5ffd924c155c68edf62a6ff2650633e1ce2f2b +digest: 5335b84399ed1bb06e70489940d2555cff0c97f7f937aac0fbdf8ee0a188ace1 +createdAt: "2024-04-05T17:39:16Z" diff --git a/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml b/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml index cc1e68891..ea97b78be 100644 --- a/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml +++ b/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: ensure-readonly-hostpath annotations: - policies.kyverno.io/title: Ensure Read Only hostPath - policies.kyverno.io/category: Other + policies.kyverno.io/title: Ensure Read Only hostPath in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kyverno-version: 1.6.2 - kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk @@ -19,7 +19,7 @@ metadata: explicitly mounted in readOnly mode. spec: background: false - validationFailureAction: audit + validationFailureAction: Audit rules: - name: ensure-hostpaths-readonly match: @@ -27,26 +27,17 @@ spec: - resources: kinds: - Pod - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: AnyIn - value: - - CREATE - - UPDATE validate: - message: All hostPath volumes must be mounted as readOnly. - foreach: - # Fetch all volumes in the Pod which are a hostPath. Store the names in an array. There could be multiple in a Pod so can't assume just one. - - list: "request.object.spec.volumes[?hostPath][]" - deny: - conditions: - # For every name found for a hostPath volume (stored as `{{element}}`), check all containers, initContainers, and ephemeralContainers which mount this volume and - # total up the number of them. Compare that to the ones with that same name which explicitly specify that `readOnly: true`. If these two - # counts aren't equal, deny the Pod because at least one is attempting to mount that hostPath in read/write mode. Note that the absence of - # the `readOnly: true` field implies read/write access. Therefore, every hostPath volume must explicitly specify that it should be mounted - # in readOnly mode, regardless of where that occurs in a Pod. - any: - - key: "{{ request.object.spec.[containers, initContainers, ephemeralContainers][].volumeMounts[?name == '{{element.name}}'][] | length(@) }}" - operator: NotEquals - value: "{{ request.object.spec.[containers, initContainers, ephemeralContainers][].volumeMounts[?name == '{{element.name}}' && readOnly] [] | length(@) }}" \ No newline at end of file + cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + - name: hostPathVolumes + expression: "has(object.spec.volumes) ? object.spec.volumes.filter(volume, has(volume.hostPath)) : []" + expressions: + - expression: >- + variables.hostPathVolumes.all(hostPath, variables.allContainers.all(container, + !has(container.volumeMounts) || + container.volumeMounts.all(volume, (hostPath.name != volume.name) || has(volume.readOnly) && volume.readOnly == true))) + message: All hostPath volumes must be mounted as readOnly. + From d47d9c1b5eb1869d8a1ac1aa692c88177d006656 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 6 Apr 2024 14:22:01 +0000 Subject: [PATCH 21/25] copy ingress-host-match-tls Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 31 +++ .../.chainsaw-test/ingress-bad.yaml | 82 +++++++ .../.chainsaw-test/ingress-good.yaml | 201 ++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 25 +++ .../.kyverno-test/resource.yaml | 169 +++++++++++++++ .../artifacthub-pkg.yml | 22 ++ .../ingress-host-match-tls.yaml | 43 ++++ 8 files changed, 579 insertions(+) create mode 100755 other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml create mode 100644 other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml create mode 100644 other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml create mode 100644 other-cel/ingress-host-match-tls/artifacthub-pkg.yml create mode 100644 other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..1bd8a2c79 --- /dev/null +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-host-match-tls +status: + ready: true diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..ee51f40cf --- /dev/null +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: ingress-host-match-tls +spec: + steps: + - name: step-01 + try: + - apply: + file: ../ingress-host-match-tls.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: ingress-host-match-tls + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ingress-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ingress-bad.yaml diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml new file mode 100644 index 000000000..b04cf758e --- /dev/null +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml @@ -0,0 +1,82 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress01 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint99 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress02 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + - host: endpoint02 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint03 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress03 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + - host: endpoint02 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint01 \ No newline at end of file diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml new file mode 100644 index 000000000..65350b9d3 --- /dev/null +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml @@ -0,0 +1,201 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress01 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint01 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress02 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - endpoint02 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress03 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint02 + - endpoint01 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress04 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - endpoint02 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress05 +spec: + ingressClassName: nginx-int + rules: + - host: foo.bar.com + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint02 + - foo.bar.com +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress06 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /foo + pathType: Prefix + backend: + service: + name: bar + port: + number: 80 + - host: "*.foo.com" + http: + paths: + - path: /bar + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - "*.foo.com" +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress07 +spec: + defaultBackend: + resource: + apiGroup: k8s.example.com + kind: StorageBucket + name: foo-bar + rules: + - http: + paths: + - path: /foo + pathType: ImplementationSpecific + backend: + resource: + apiGroup: k8s.example.com + kind: StorageBucket + name: foo-bar \ No newline at end of file diff --git a/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml b/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..40067a412 --- /dev/null +++ b/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,25 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ingress-host-match-tls +policies: +- ../ingress-host-match-tls.yaml +resources: +- resource.yaml +results: +- kind: Ingress + policy: ingress-host-match-tls + resources: + - badingress01 + - badingress02 + result: fail + rule: host-match-tls +- kind: Ingress + policy: ingress-host-match-tls + resources: + - goodingress01 + - goodingress02 + - goodingress03 + - goodingress04 + result: pass + rule: host-match-tls diff --git a/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml b/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml new file mode 100644 index 000000000..d2f4354a0 --- /dev/null +++ b/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml @@ -0,0 +1,169 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress01 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint99 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress02 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + - host: endpoint02 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint03 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress01 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint01 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress02 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - endpoint02 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress03 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint02 + - endpoint01 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress04 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - endpoint02 diff --git a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml new file mode 100644 index 000000000..a13df750e --- /dev/null +++ b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: ingress-host-match-tls +version: 1.0.0 +displayName: Ingress Host Match TLS +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/ingress-host-match-tls/ingress-host-match-tls.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.20, 1.21" + kyverno/subject: "Ingress" +digest: 3f3af746f48800ebfdb337b428125c1421f29d91161ab34a0fd8e2225913dbb3 diff --git a/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml b/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml new file mode 100644 index 000000000..bf65c827b --- /dev/null +++ b/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-host-match-tls + annotations: + policies.kyverno.io/title: Ingress Host Match TLS + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.20, 1.21" + policies.kyverno.io/subject: Ingress + policies.kyverno.io/description: >- + Ingress resources which name a host name that is not present + in the TLS section can produce ingress routing failures as a TLS + certificate may not correspond to the destination host. This policy + ensures that the host name in an Ingress rule is also found + in the list of TLS hosts. +spec: + background: false + validationFailureAction: audit + rules: + - name: host-match-tls + match: + any: + - resources: + kinds: + - Ingress + preconditions: + all: + - key: "{{request.operation || 'BACKGROUND'}}" + operator: AnyIn + value: + - CREATE + - UPDATE + validate: + message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]." + deny: + conditions: + all: + - key: "{{ (request.object.spec.rules[].host || `[]`) | sort(@) }}" + operator: AnyNotIn + value: "{{ (request.object.spec.tls[].hosts[] || `[]`) | sort(@) }}" From dc33d144589aebc1cfa86789d5123565ab4bc8d0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 6 Apr 2024 17:23:09 +0000 Subject: [PATCH 22/25] convert ingress-host-match-tls to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++---- .../ingress-host-match-tls.yaml | 37 +++++++++---------- 2 files changed, 25 insertions(+), 27 deletions(-) diff --git a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml index a13df750e..22483d0ba 100644 --- a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml +++ b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: ingress-host-match-tls +name: ingress-host-match-tls-cel version: 1.0.0 -displayName: Ingress Host Match TLS -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Ingress Host Match TLS in CEL expressions description: >- Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/ingress-host-match-tls/ingress-host-match-tls.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.20, 1.21" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: 3f3af746f48800ebfdb337b428125c1421f29d91161ab34a0fd8e2225913dbb3 +digest: 5442acaa90c6a45509015995028e241374b76d60cc700fbf6dd9f61178ba432f +createdAt: "2024-04-06T17:22:38Z" diff --git a/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml b/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml index bf65c827b..27bb57185 100644 --- a/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml +++ b/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: ingress-host-match-tls annotations: - policies.kyverno.io/title: Ingress Host Match TLS - policies.kyverno.io/category: Other + policies.kyverno.io/title: Ingress Host Match TLS in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.20, 1.21" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Ingress policies.kyverno.io/description: >- Ingress resources which name a host name that is not present @@ -18,7 +18,7 @@ metadata: in the list of TLS hosts. spec: background: false - validationFailureAction: audit + validationFailureAction: Audit rules: - name: host-match-tls match: @@ -26,18 +26,15 @@ spec: - resources: kinds: - Ingress - preconditions: - all: - - key: "{{request.operation || 'BACKGROUND'}}" - operator: AnyIn - value: - - CREATE - - UPDATE validate: - message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]." - deny: - conditions: - all: - - key: "{{ (request.object.spec.rules[].host || `[]`) | sort(@) }}" - operator: AnyNotIn - value: "{{ (request.object.spec.tls[].hosts[] || `[]`) | sort(@) }}" + cel: + variables: + - name: tls + expression: "has(object.spec.tls) ? object.spec.tls : []" + expressions: + - expression: >- + object.spec.rules.all(rule, + !has(rule.host) || + variables.tls.exists(tls, has(tls.hosts) && tls.hosts.exists(tlsHost, tlsHost == rule.host))) + message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]." + From 19d396d9c540cdfbe2288cd06d315cd7e3da2433 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 6 Apr 2024 17:40:09 +0000 Subject: [PATCH 23/25] rename files for clarity Signed-off-by: Chandan-DK --- .../enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../ensure-probes-different/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 16 files changed, 8 insertions(+), 8 deletions(-) rename other-cel/enforce-pod-duration/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/ensure-probes-different/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/ensure-readonly-hostpath/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/forbid-cpu-limits/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/imagepullpolicy-always/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/ingress-host-match-tls/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/limit-containers-per-pod/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/limit-hostpath-type-pv/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml index 76632597a..2444c53c1 100755 --- a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml index f40140320..bbb493dc3 100755 --- a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml @@ -21,7 +21,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml index 5fe35235e..4aeea23f3 100755 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml index 7f6d2df88..d81a06a33 100755 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml index 57afc7d19..73d027b4e 100755 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml index ee51f40cf..2c7e5c355 100755 --- a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml index 3578a47c1..2a152592a 100755 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml index 101cae9ad..050066bd9 100755 --- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml From 2858638c686121e8105ce005ff542d8b9758ecc2 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 6 Apr 2024 17:46:42 +0000 Subject: [PATCH 24/25] add new lines at the end of files Signed-off-by: Chandan-DK --- .../enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml | 1 + .../.chainsaw-test/podcontrollers-bad.yaml | 3 ++- .../.chainsaw-test/podcontrollers-good.yaml | 3 ++- other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml | 3 ++- other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml | 3 ++- .../enforce-pod-duration/.chainsaw-test/policy-ready.yaml | 1 + other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml | 1 + other-cel/enforce-pod-duration/.kyverno-test/resources.yaml | 1 + .../enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml | 3 ++- .../ensure-probes-different/.chainsaw-test/chainsaw-test.yaml | 1 + other-cel/ensure-probes-different/.chainsaw-test/ns.yaml | 3 ++- .../.chainsaw-test/podcontrollers-bad.yaml | 3 ++- .../.chainsaw-test/podcontrollers-good.yaml | 3 ++- .../ensure-probes-different/.chainsaw-test/policy-ready.yaml | 1 + .../ensure-probes-different/.kyverno-test/kyverno-test.yaml | 1 + .../ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml | 3 ++- .../ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml | 3 ++- .../ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml | 3 ++- .../ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml | 3 ++- .../ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml | 3 ++- .../ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml | 1 + .../ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml | 3 ++- .../.chainsaw-test/podcontrollers-bad.yaml | 3 ++- .../.chainsaw-test/podcontrollers-good.yaml | 3 ++- .../ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml | 3 ++- .../ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml | 3 ++- .../ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml | 1 + .../ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml | 3 ++- .../ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml | 3 ++- other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml | 1 + other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml | 1 + .../forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml | 3 ++- .../forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml | 3 ++- other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml | 3 ++- other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml | 3 ++- other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml | 1 + other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml | 1 + other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml | 1 + .../imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml | 1 + other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml | 3 ++- other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml | 3 ++- .../.chainsaw-test/podcontroller-bad.yaml | 3 ++- .../.chainsaw-test/podcontroller-good.yaml | 3 ++- .../imagepullpolicy-always/.chainsaw-test/policy-ready.yaml | 1 + .../imagepullpolicy-always/.kyverno-test/kyverno-test.yaml | 1 + other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml | 3 ++- .../ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml | 1 + .../ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml | 3 ++- .../ingress-host-match-tls/.chainsaw-test/ingress-good.yaml | 3 ++- .../ingress-host-match-tls/.chainsaw-test/policy-ready.yaml | 1 + .../ingress-host-match-tls/.kyverno-test/kyverno-test.yaml | 1 + other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml | 1 + other-cel/ingress-host-match-tls/artifacthub-pkg.yml | 1 + .../limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml | 1 + other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml | 3 ++- .../limit-containers-per-pod/.chainsaw-test/pod-good.yaml | 3 ++- .../.chainsaw-test/podcontroller-bad.yaml | 3 ++- .../.chainsaw-test/podcontroller-good.yaml | 3 ++- .../limit-containers-per-pod/.chainsaw-test/policy-ready.yaml | 1 + .../limit-containers-per-pod/.kyverno-test/kyverno-test.yaml | 1 + other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml | 1 + .../limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml | 1 + .../limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml | 1 + other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml | 1 + other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml | 3 ++- .../limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml | 1 + other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml | 1 + other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml | 1 + 68 files changed, 104 insertions(+), 36 deletions(-) diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml index 2444c53c1..18c018e87 100755 --- a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml index 2456f925f..7668856fd 100644 --- a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml +++ b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml @@ -39,4 +39,5 @@ spec: containers: - image: busybox:1.35 name: busybox - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml index 49f7d105c..8cf26dc07 100644 --- a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml +++ b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml @@ -78,4 +78,5 @@ spec: containers: - image: busybox:1.35 name: busybox - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml index e12fe5b2f..bca56ed61 100644 --- a/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml +++ b/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml @@ -20,4 +20,5 @@ metadata: spec: containers: - image: busybox:1.35 - name: busybox \ No newline at end of file + name: busybox + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml index 72af42c34..8e5741b96 100644 --- a/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml +++ b/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml @@ -40,4 +40,5 @@ metadata: spec: containers: - image: busybox:1.35 - name: busybox \ No newline at end of file + name: busybox + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml index b53713baf..2530f09c7 100755 --- a/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml +++ b/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: pod-lifetime status: ready: true + diff --git a/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml b/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml index d4eaab5bd..da3c01fd4 100644 --- a/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml +++ b/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml @@ -19,3 +19,4 @@ results: - test-lifetime-pass result: pass rule: pods-lifetime + diff --git a/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml b/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml index 6d50f9124..b40ef2969 100644 --- a/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml +++ b/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml @@ -21,3 +21,4 @@ spec: containers: - name: nginx image: nginx:1.12 + diff --git a/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml b/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml index 12ad90cbe..31c6b838a 100644 --- a/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml +++ b/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml @@ -18,4 +18,5 @@ results: resources: - goodpvc result: pass - rule: readwrite-pvc-single-pod \ No newline at end of file + rule: readwrite-pvc-single-pod + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml index bbb493dc3..119c554b3 100755 --- a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml @@ -35,3 +35,4 @@ spec: try: - script: content: kubectl delete all --all --force --grace-period=0 -n ensure-probes-different-ns + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml b/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml index 09dda4489..055f17f7e 100644 --- a/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml +++ b/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml @@ -1,4 +1,5 @@ apiVersion: v1 kind: Namespace metadata: - name: ensure-probes-different-ns \ No newline at end of file + name: ensure-probes-different-ns + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml index b050a0094..4042ab8a8 100644 --- a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml +++ b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml @@ -112,4 +112,5 @@ spec: httpGet: path: /healthz port: 8080 - periodSeconds: 10 \ No newline at end of file + periodSeconds: 10 + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml index c3f04c511..b82e3c264 100644 --- a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml +++ b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml @@ -110,4 +110,5 @@ spec: readinessProbe: tcpSocket: port: 8080 - periodSeconds: 10 \ No newline at end of file + periodSeconds: 10 + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml b/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml index 1f660a84a..1a741c0b9 100755 --- a/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml +++ b/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: validate-probes status: ready: true + diff --git a/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml b/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml index c6d04d095..6812ebacc 100644 --- a/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml +++ b/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml @@ -19,3 +19,4 @@ results: - mydeploy-1 result: pass rule: validate-probes + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml index beaaf4b59..be990147d 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml @@ -13,4 +13,5 @@ spec: volumes: - name: foo hostPath: - path: /var/log \ No newline at end of file + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml index 91629aa37..351cf44bc 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml @@ -18,4 +18,5 @@ spec: path: /var/log - name: bar hostPath: - path: /etc \ No newline at end of file + path: /etc + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml index e67aca6c7..4b0703656 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml @@ -19,4 +19,5 @@ spec: path: /var/log - name: bar hostPath: - path: /etc \ No newline at end of file + path: /etc + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml index b1923c5d8..9f803e8ec 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml @@ -24,4 +24,5 @@ spec: path: /var/log - name: bar hostPath: - path: /etc \ No newline at end of file + path: /etc + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml index 7104c5947..8783a36ea 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml @@ -36,4 +36,5 @@ spec: path: /var/log - name: bar hostPath: - path: /etc \ No newline at end of file + path: /etc + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml index 4aeea23f3..d6e330389 100755 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml @@ -63,3 +63,4 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml index 2b291bf72..ebc36fa0b 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml @@ -33,4 +33,5 @@ spec: volumes: - name: foo hostPath: - path: /var/log \ No newline at end of file + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml index be0eb2e1f..3ecab0318 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml @@ -71,4 +71,5 @@ spec: - name: foo hostPath: path: /var/log - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml index ca7f558d4..d7d6eaac7 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml @@ -71,4 +71,5 @@ spec: - name: foo hostPath: path: /var/log - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml index 9430edd30..b11e3fc29 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml @@ -23,4 +23,5 @@ spec: volumes: - name: foo hostPath: - path: /var/log \ No newline at end of file + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml index 584c6ce57..15a373855 100644 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml @@ -23,4 +23,5 @@ spec: volumes: - name: foo hostPath: - path: /var/log \ No newline at end of file + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml index 9668eb938..b9b225ce6 100755 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: ensure-readonly-hostpath status: ready: true + diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml index 818c55632..51839206c 100644 --- a/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml @@ -12,4 +12,5 @@ spec: volumes: - name: foo hostPath: - path: /var/log \ No newline at end of file + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml index 81e3eb5a6..9c6331dcf 100644 --- a/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml @@ -13,4 +13,5 @@ spec: volumes: - name: foo hostPath: - path: /var/log \ No newline at end of file + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml index 9db0dd388..1c09131ab 100644 --- a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml +++ b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml @@ -21,3 +21,4 @@ annotations: kyverno/subject: "Pod" digest: 5335b84399ed1bb06e70489940d2555cff0c97f7f937aac0fbdf8ee0a188ace1 createdAt: "2024-04-05T17:39:16Z" + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml index d81a06a33..5025169a3 100755 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml index 1dad16455..30cd26d52 100644 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml @@ -96,4 +96,5 @@ spec: resources: limits: cpu: 10m - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml index 86af67ba5..03c668ef2 100644 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml @@ -80,4 +80,5 @@ spec: resources: requests: cpu: 10m - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml index 84a73e9da..f24adfe86 100644 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml @@ -25,4 +25,5 @@ spec: image: busybox:1.35 resources: limits: - cpu: 10m \ No newline at end of file + cpu: 10m + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml index b0aba2e9b..97629fef4 100644 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml @@ -17,4 +17,5 @@ spec: image: busybox:1.35 resources: requests: - cpu: 10m \ No newline at end of file + cpu: 10m + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml index b96d2cb6d..2babcc6e6 100755 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: forbid-cpu-limits status: ready: true + diff --git a/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml b/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml index 4b56ba491..7e3a2c5ef 100644 --- a/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml +++ b/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml @@ -21,3 +21,4 @@ results: - good02 result: pass rule: check-cpu-limits + diff --git a/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml b/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml index bb358f2d0..f29885f30 100644 --- a/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml +++ b/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml @@ -47,3 +47,4 @@ spec: resources: requests: cpu: 10m + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml index 73d027b4e..aadc8a25e 100755 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml index eb6883232..6949ea364 100644 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml @@ -41,4 +41,5 @@ spec: image: busybox:latest imagePullPolicy: Never - name: pod02 - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml index 65f5d474f..e95c6524f 100644 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml @@ -58,4 +58,5 @@ spec: imagePullPolicy: IfNotPresent - name: pod02 image: busybox:latest - imagePullPolicy: Always \ No newline at end of file + imagePullPolicy: Always + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml index 770e5393e..aa3f6ecf1 100644 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml @@ -44,4 +44,5 @@ spec: - name: bb03 image: busybox imagePullPolicy: IfNotPresent - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml index 4499d5b17..2e93055ba 100644 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml @@ -40,4 +40,5 @@ spec: image: busybox:latest - name: bb03 image: busybox - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml index adbe3c664..843ff7ef8 100755 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: imagepullpolicy-always status: ready: true + diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml index 252cf757a..c5406a07a 100644 --- a/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml +++ b/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml @@ -31,3 +31,4 @@ results: - myapp-pod-1 result: pass rule: imagepullpolicy-always + diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml index ec227dcc3..4df92e40f 100644 --- a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml +++ b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml @@ -64,4 +64,5 @@ spec: image: nginx imagePullPolicy: "Always" ports: - - containerPort: 80 \ No newline at end of file + - containerPort: 80 + diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml index 2c7e5c355..ab409abe4 100755 --- a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml @@ -29,3 +29,4 @@ spec: - check: ($error != null): true file: ingress-bad.yaml + diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml index b04cf758e..4ac1a456a 100644 --- a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml @@ -79,4 +79,5 @@ spec: pathType: Prefix tls: - hosts: - - endpoint01 \ No newline at end of file + - endpoint01 + diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml index 65350b9d3..c1ef3d3dd 100644 --- a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml @@ -198,4 +198,5 @@ spec: resource: apiGroup: k8s.example.com kind: StorageBucket - name: foo-bar \ No newline at end of file + name: foo-bar + diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml index 1bd8a2c79..e9271befe 100755 --- a/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: ingress-host-match-tls status: ready: true + diff --git a/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml b/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml index 40067a412..0ce9eb5ef 100644 --- a/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml +++ b/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml @@ -23,3 +23,4 @@ results: - goodingress04 result: pass rule: host-match-tls + diff --git a/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml b/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml index d2f4354a0..b83e8bf7f 100644 --- a/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml +++ b/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml @@ -167,3 +167,4 @@ spec: - hosts: - endpoint01 - endpoint02 + diff --git a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml index 22483d0ba..344cc88d1 100644 --- a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml +++ b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml @@ -21,3 +21,4 @@ annotations: kyverno/subject: "Ingress" digest: 5442acaa90c6a45509015995028e241374b76d60cc700fbf6dd9f61178ba432f createdAt: "2024-04-06T17:22:38Z" + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml index 2a152592a..9722cde91 100755 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml index fe98f797b..96992623a 100644 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml @@ -13,4 +13,5 @@ spec: - name: pod04 image: busybox:1.35 - name: pod05 - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml index 6e09c3e46..c1f96536b 100644 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml @@ -22,4 +22,5 @@ spec: - name: pod01 image: busybox:1.35 - name: pod02 - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml index 114495014..718cf5d4d 100644 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml @@ -48,4 +48,5 @@ spec: image: busybox:1.35 - name: bb05 image: busybox:1.35 - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml index 44639a82d..1a380e941 100644 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml @@ -44,4 +44,5 @@ spec: image: busybox:1.35 - name: bb04 image: busybox:1.35 - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml index 33f4a1654..5623d2644 100755 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: limit-containers-per-pod status: ready: true + diff --git a/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml b/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml index 2e2681721..807b38981 100644 --- a/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml +++ b/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml @@ -31,3 +31,4 @@ results: - myapp-pod-1 result: pass rule: limit-containers-per-pod + diff --git a/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml b/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml index e69fb5b5f..e39bdd108 100644 --- a/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml +++ b/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml @@ -73,3 +73,4 @@ spec: - name: hello5 image: busybox restartPolicy: OnFailure + diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml index 050066bd9..1d18ea171 100755 --- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml @@ -29,3 +29,4 @@ spec: - check: ($error != null): true file: pv-bad.yaml + diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml index 3f396191b..4282df611 100755 --- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: limit-hostpath-type-pv status: ready: true + diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml index 053d7a6ad..022e4ed2c 100644 --- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml @@ -29,3 +29,4 @@ spec: persistentVolumeReclaimPolicy: Retain hostPath: path: "/etc/data/home" + diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml index 03d1a4d6e..2dd25ac99 100644 --- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml @@ -28,4 +28,5 @@ spec: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain hostPath: - path: "/data/home" \ No newline at end of file + path: "/data/home" + diff --git a/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml b/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml index 903d1cae6..c736b0ec1 100644 --- a/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml +++ b/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml @@ -19,3 +19,4 @@ results: - good-pv result: pass rule: limit-hostpath-type-pv-to-slash-data + diff --git a/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml b/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml index 1ae2492bd..dd9a7b597 100644 --- a/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml +++ b/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml @@ -29,3 +29,4 @@ spec: persistentVolumeReclaimPolicy: Retain hostPath: path: "/etc" + diff --git a/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml b/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml index acaf10931..5d0ee14d9 100644 --- a/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml +++ b/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml @@ -21,3 +21,4 @@ annotations: kyverno/subject: "PersistentVolume" digest: 981a66b5f77de02d3f6623b49c02421dd1adf4e9882d96a2e0219de9dba52672 createdAt: "2024-04-04T17:35:35Z" + From af2936ceb82890fbf8004d7c1f0b640a01da518d Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Mon, 22 Apr 2024 18:35:47 +0530 Subject: [PATCH 25/25] update artifacthub-pkg.yml for enforce-readwriteonce-pod Co-authored-by: Mariam Fahmy Signed-off-by: Chandan-DK --- other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml b/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml index a9027462f..520a5ac06 100644 --- a/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml +++ b/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml @@ -27,7 +27,7 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.27-1.28" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "PersistentVolumeClaims" digest: de7662c3394731c2de9205ebdda2da9da69e8022b616ca6e4ea9dbfd8ad2b2a8 createdAt: "2024-03-31T10:53:27Z"