From 545b49c0ca29fd54fa4c816b0ac7e8b95d4b0523 Mon Sep 17 00:00:00 2001 From: shivaccuknox <150668714+shivaccuknox@users.noreply.github.com> Date: Wed, 12 Jun 2024 18:49:47 +0530 Subject: [PATCH] fix: nimbus policy status issue (#180) * - nimbus policy status updated - ksps are created - kyverno policies are created * - Add nimbus policy details to Csib Status * - Added e2e test for matchAll csib - Fixed issues with integration tests * - Update test docs * - Removed the check for the kyverno cluster policy status. --- .../clustersecurityintentbinding_types.go | 13 +- api/v1alpha1/zz_generated.deepcopy.go | 5 + ...bus.com_clustersecurityintentbindings.yaml | 11 ++ deployments/nimbus/templates/crds.yaml | 11 ++ ...clustersecurityintentbinding_controller.go | 64 +++++++++ internal/controller/util.go | 20 +++ .../nimbus-kubearmor/manager/manager.go | 2 +- .../nimbus-kyverno/processor/kcpbuilder.go | 43 +++++- .../excludename/README.md | 15 +- .../excludename/chainsaw-test.yaml | 21 +-- ...escape-to-host-dev-prod-regional-csib.yaml | 2 +- .../matchall/chainsaw-test.yaml | 2 +- .../matchname/README.md | 25 +--- .../matchname/chainsaw-test.yaml | 4 +- tests/e2e/dns-manipulation/create/README.md | 8 +- tests/e2e/dns-manipulation/delete/README.md | 10 +- tests/e2e/dns-manipulation/update/README.md | 8 +- .../cluster-kyverno-policy.yaml | 49 +++++++ .../create/README.md | 131 ++++++++++++++++++ .../create/chainsaw-test.yaml | 91 ++++++++++++ .../csib-assert.yaml | 23 +++ .../cwnp-assert.yaml | 32 +++++ .../nimbus-policy-assert-ns-default.yaml | 31 +++++ .../nimbus-policy-assert-ns-dev.yaml | 31 +++++ .../nimbus-policy-assert-ns-staging.yaml | 31 +++++ .../ns.yaml | 12 ++ .../escape-to-host-csib-match-all.yaml | 17 +++ 27 files changed, 638 insertions(+), 74 deletions(-) create mode 100644 tests/e2e/escape-to-host-clusterscoped-matchall/cluster-kyverno-policy.yaml create mode 100644 tests/e2e/escape-to-host-clusterscoped-matchall/create/README.md create mode 100644 tests/e2e/escape-to-host-clusterscoped-matchall/create/chainsaw-test.yaml create mode 100644 tests/e2e/escape-to-host-clusterscoped-matchall/csib-assert.yaml create mode 100644 tests/e2e/escape-to-host-clusterscoped-matchall/cwnp-assert.yaml create mode 100644 tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-default.yaml create mode 100644 tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-dev.yaml create mode 100644 tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-staging.yaml create mode 100644 tests/e2e/escape-to-host-clusterscoped-matchall/ns.yaml create mode 100644 tests/e2e/resources/clusterscoped/escape-to-host-csib-match-all.yaml diff --git a/api/v1alpha1/clustersecurityintentbinding_types.go b/api/v1alpha1/clustersecurityintentbinding_types.go index 007310b1..24357d4d 100644 --- a/api/v1alpha1/clustersecurityintentbinding_types.go +++ b/api/v1alpha1/clustersecurityintentbinding_types.go @@ -27,11 +27,13 @@ type ClusterSecurityIntentBindingSpec struct { // ClusterSecurityIntentBindingStatus defines the observed state of ClusterSecurityIntentBinding type ClusterSecurityIntentBindingStatus struct { - Status string `json:"status"` - LastUpdated metav1.Time `json:"lastUpdated,omitempty"` - NumberOfBoundIntents int32 `json:"numberOfBoundIntents"` - BoundIntents []string `json:"boundIntents,omitempty"` - ClusterNimbusPolicy string `json:"clusterNimbusPolicy"` + Status string `json:"status"` + LastUpdated metav1.Time `json:"lastUpdated,omitempty"` + NumberOfBoundIntents int32 `json:"numberOfBoundIntents"` + BoundIntents []string `json:"boundIntents,omitempty"` + ClusterNimbusPolicy string `json:"clusterNimbusPolicy"` + NumberOfNimbusPolicies int32 `json:"numberOfNimbusPolicies"` + NimbusPolicyNamespaces []string `json:"nimbusPolicyNamespaces,omitempty"` } //+kubebuilder:object:root=true @@ -40,6 +42,7 @@ type ClusterSecurityIntentBindingStatus struct { //+kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.status" //+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" //+kubebuilder:printcolumn:name="Intents",type="integer",JSONPath=".status.numberOfBoundIntents" +//+kubebuilder:printcolumn:name="NimbusPolicies",type="integer",JSONPath=".status.numberofNimbusPolicies" //+kubebuilder:printcolumn:name="ClusterNimbusPolicy",type="string",JSONPath=".status.clusterNimbusPolicy" //+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index a4cbae4b..0b5958be 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -228,6 +228,11 @@ func (in *ClusterSecurityIntentBindingStatus) DeepCopyInto(out *ClusterSecurityI *out = make([]string, len(*in)) copy(*out, *in) } + if in.NimbusPolicyNamespaces != nil { + in, out := &in.NimbusPolicyNamespaces, &out.NimbusPolicyNamespaces + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecurityIntentBindingStatus. diff --git a/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml b/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml index 5f7bf97f..596ef5a7 100644 --- a/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml +++ b/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml @@ -26,6 +26,9 @@ spec: - jsonPath: .status.numberOfBoundIntents name: Intents type: integer + - jsonPath: .status.numberofNimbusPolicies + name: NimbusPolicies + type: integer - jsonPath: .status.clusterNimbusPolicy name: ClusterNimbusPolicy type: string @@ -115,14 +118,22 @@ spec: lastUpdated: format: date-time type: string + nimbusPolicyNamespaces: + items: + type: string + type: array numberOfBoundIntents: format: int32 type: integer + numberOfNimbusPolicies: + format: int32 + type: integer status: type: string required: - clusterNimbusPolicy - numberOfBoundIntents + - numberOfNimbusPolicies - status type: object type: object diff --git a/deployments/nimbus/templates/crds.yaml b/deployments/nimbus/templates/crds.yaml index 96e0dbb5..358314e0 100644 --- a/deployments/nimbus/templates/crds.yaml +++ b/deployments/nimbus/templates/crds.yaml @@ -161,6 +161,9 @@ spec: - jsonPath: .status.numberOfBoundIntents name: Intents type: integer + - jsonPath: .status.numberofNimbusPolicies + name: NimbusPolicies + type: integer - jsonPath: .status.clusterNimbusPolicy name: ClusterNimbusPolicy type: string @@ -250,14 +253,22 @@ spec: lastUpdated: format: date-time type: string + nimbusPolicyNamespaces: + items: + type: string + type: array numberOfBoundIntents: format: int32 type: integer + numberOfNimbusPolicies: + format: int32 + type: integer status: type: string required: - clusterNimbusPolicy - numberOfBoundIntents + - numberOfNimbusPolicies - status type: object type: object diff --git a/internal/controller/clustersecurityintentbinding_controller.go b/internal/controller/clustersecurityintentbinding_controller.go index 2a274570..518249cf 100644 --- a/internal/controller/clustersecurityintentbinding_controller.go +++ b/internal/controller/clustersecurityintentbinding_controller.go @@ -93,6 +93,10 @@ func (r *ClusterSecurityIntentBindingReconciler) Reconcile(ctx context.Context, return requeueWithError(err) } + if err = r.updateCsibStatusWithNpNamespacesInfo(ctx, logger, req); err != nil { + return requeueWithError(err) + } + return doNotRequeue() } @@ -486,6 +490,18 @@ func (r *ClusterSecurityIntentBindingReconciler) createOrUpdateNp(ctx context.Co func (r *ClusterSecurityIntentBindingReconciler) updateNpStatus(ctx context.Context, logger logr.Logger, req ctrl.Request, status string) error { np := &v1alpha1.NimbusPolicy{} + + // Get the np object. This might take multiple retries since object might have been just created + if retryErr := retry.OnError(retry.DefaultRetry, apierrors.IsNotFound, func() error { + if err := r.Get(ctx, req.NamespacedName, np); err != nil { + return err + } + return nil + }); retryErr != nil { + logger.Error(retryErr, "failed to fetch NimbusPolicy", "NimbusPolicy.Name", req.Name) + return retryErr + } + if retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { if err := r.Get(ctx, req.NamespacedName, np); err != nil { return err @@ -678,6 +694,8 @@ func (r *ClusterSecurityIntentBindingReconciler) updateCSibStatusWithBoundSisAnd latestCsib.Status.NumberOfBoundIntents = 0 latestCsib.Status.BoundIntents = nil latestCsib.Status.ClusterNimbusPolicy = "" + latestCsib.Status.NumberOfNimbusPolicies = 0 + latestCsib.Status.NimbusPolicyNamespaces = nil if err := r.Status().Update(ctx, latestCsib); err != nil { logger.Error(err, "failed to update ClusterSecurityIntentBinding status", "ClusterSecurityIntentBinding.Name", latestCsib.Name) return err @@ -697,3 +715,49 @@ func (r *ClusterSecurityIntentBindingReconciler) updateCSibStatusWithBoundSisAnd return nil } + +func (r *ClusterSecurityIntentBindingReconciler) updateCsibStatusWithNpNamespacesInfo(ctx context.Context, logger logr.Logger, req ctrl.Request) error { + latestCsib := &v1alpha1.ClusterSecurityIntentBinding{} + if err := r.Get(ctx, req.NamespacedName, latestCsib); err != nil && !apierrors.IsNotFound(err) { + logger.Error(err, "failed to fetch ClusterSecurityIntentBinding", "ClusterSecurityIntentBinding.Name", req.Name) + return err + } + + latestCwnp := &v1alpha1.ClusterNimbusPolicy{} + if retryErr := retry.OnError(retry.DefaultRetry, apierrors.IsNotFound, func() error { + if err := r.Get(ctx, req.NamespacedName, latestCwnp); err != nil { + return err + } + return nil + }); retryErr != nil { + if !apierrors.IsNotFound(retryErr) { + logger.Error(retryErr, "failed to fetch ClusterNimbusPolicy", "ClusterNimbusPolicy.Name", req.Name) + return retryErr + } + + // Remove outdated SecurityIntent(s) and ClusterNimbusPolicy info + latestCsib.Status.NumberOfBoundIntents = 0 + latestCsib.Status.BoundIntents = nil + latestCsib.Status.ClusterNimbusPolicy = "" + latestCsib.Status.NumberOfNimbusPolicies = 0 + latestCsib.Status.NimbusPolicyNamespaces = nil + if err := r.Status().Update(ctx, latestCsib); err != nil { + logger.Error(err, "failed to update ClusterSecurityIntentBinding status", "ClusterSecurityIntentBinding.Name", latestCsib.Name) + return err + } + return nil + } + + // Update necessary fields of ClusterSecurityIntentBinding status. + // The other fields will remain the same + npNamespaces := extractNPNamespacesFromCsib(ctx, r.Client, req.Name) + latestCsib.Status.NumberOfNimbusPolicies = int32(len(npNamespaces)) + latestCsib.Status.NimbusPolicyNamespaces = npNamespaces + + if err := r.Status().Update(ctx, latestCsib); err != nil { + logger.Error(err, "failed to update ClusterSecurityIntentBinding status", "ClusterSecurityIntentBinding.Name", latestCsib.Name) + return err + } + + return nil +} diff --git a/internal/controller/util.go b/internal/controller/util.go index 68f603de..17c2142f 100644 --- a/internal/controller/util.go +++ b/internal/controller/util.go @@ -72,6 +72,26 @@ func extractBoundIntentsNameFromCSib(ctx context.Context, c client.Client, name return boundIntentsName } +func extractNPNamespacesFromCsib(ctx context.Context, c client.Client, name string) []string { + logger := log.FromContext(ctx) + + var npNs []string + + nps := &v1alpha1.NimbusPolicyList{} + if err := c.List(ctx, nps); err != nil { + logger.Error(err, "failed to list Nimbus Policies") + return nil + } + + for _, np := range nps.Items { + if np.Name == "nimbus-ctlr-gen-"+name { + npNs = append(npNs, np.Namespace) + } + } + + return npNs +} + func ownerExists(c client.Client, controllee client.Object) bool { // Don't even try to look if it has no ControllerRef. controller := metav1.GetControllerOf(controllee) diff --git a/pkg/adapter/nimbus-kubearmor/manager/manager.go b/pkg/adapter/nimbus-kubearmor/manager/manager.go index 04cc4f08..852701f8 100644 --- a/pkg/adapter/nimbus-kubearmor/manager/manager.go +++ b/pkg/adapter/nimbus-kubearmor/manager/manager.go @@ -107,7 +107,7 @@ func createOrUpdateKsp(ctx context.Context, npName, npNamespace string) { return } - if adapterutil.IsOrphan(np.GetOwnerReferences(), "SecurityIntentBinding") { + if adapterutil.IsOrphan(np.GetOwnerReferences(), "SecurityIntentBinding", "ClusterSecurityIntentBinding") { logger.V(4).Info("Ignoring orphan NimbusPolicy", "NimbusPolicy.Name", npName, "NimbusPolicy.Namespace", npNamespace) return } diff --git a/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go b/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go index ee03f514..0ba3ef23 100644 --- a/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go +++ b/pkg/adapter/nimbus-kyverno/processor/kcpbuilder.go @@ -49,6 +49,8 @@ func buildKcpFor(id string, cnp *v1alpha1.ClusterNimbusPolicy) kyvernov1.Cluster } } +var nsBlackList = []string{"kube-system"} + func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule) kyvernov1.ClusterPolicy { var psa_level api.Level = api.LevelBaseline @@ -70,22 +72,51 @@ func clusterEscapeToHost(cnp *v1alpha1.ClusterNimbusPolicy, rule v1alpha1.Rule) var matchFilters, excludeFilters []kyvernov1.ResourceFilter var resourceFilter kyvernov1.ResourceFilter + // exclude kube-system + resourceFilter = kyvernov1.ResourceFilter{ + ResourceDescription: kyvernov1.ResourceDescription{ + Namespaces: nsBlackList, + }, + } + excludeFilters = append(excludeFilters, resourceFilter) + if len(cnp.Spec.NsSelector.MatchNames) > 0 { + if len(cnp.Spec.WorkloadSelector.MatchLabels) > 0 { + resourceFilter = kyvernov1.ResourceFilter{ + ResourceDescription: kyvernov1.ResourceDescription{ + Kinds: []string{ + "v1/Pod", + }, + Namespaces: cnp.Spec.NsSelector.MatchNames, + Selector: &metav1.LabelSelector{ + MatchLabels: cnp.Spec.WorkloadSelector.MatchLabels, + }, + }, + } + + } else { + resourceFilter = kyvernov1.ResourceFilter{ + ResourceDescription: kyvernov1.ResourceDescription{ + Kinds: []string{ + "v1/Pod", + }, + Namespaces: cnp.Spec.NsSelector.MatchNames, + }, + } + } + matchFilters = append(matchFilters, resourceFilter) + + } else if len(cnp.Spec.NsSelector.ExcludeNames) > 0 { + resourceFilter = kyvernov1.ResourceFilter{ ResourceDescription: kyvernov1.ResourceDescription{ Kinds: []string{ "v1/Pod", }, - Namespaces: cnp.Spec.NsSelector.MatchNames, - Selector: &metav1.LabelSelector{ - MatchLabels: cnp.Spec.WorkloadSelector.MatchLabels, - }, }, } matchFilters = append(matchFilters, resourceFilter) - } - if len(cnp.Spec.NsSelector.ExcludeNames) > 0 { resourceFilter = kyvernov1.ResourceFilter{ ResourceDescription: kyvernov1.ResourceDescription{ Namespaces: cnp.Spec.NsSelector.ExcludeNames, diff --git a/tests/controllers/clustersecurityintentbinding/excludename/README.md b/tests/controllers/clustersecurityintentbinding/excludename/README.md index 4d67fad5..ff16448c 100644 --- a/tests/controllers/clustersecurityintentbinding/excludename/README.md +++ b/tests/controllers/clustersecurityintentbinding/excludename/README.md @@ -22,9 +22,8 @@ | 12 | [4. Create the management, regional namespaces](#step-4. Create the management, regional namespaces) | 0 | 1 | 0 | 0 | | 13 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | | 14 | [Verify NimbusPolicy absence in dev namespace](#step-Verify NimbusPolicy absence in dev namespace) | 0 | 1 | 0 | 0 | -| 15 | [Verify NimbusPolicy absence in dev namespace](#step-Verify NimbusPolicy absence in dev namespace) | 0 | 1 | 0 | 0 | -| 16 | [Verify NimbusPolicy absence in prod namespace](#step-Verify NimbusPolicy absence in prod namespace) | 0 | 1 | 0 | 0 | -| 17 | [Verify NimbusPolicy absence in regional namespace](#step-Verify NimbusPolicy absence in regional namespace) | 0 | 1 | 0 | 0 | +| 15 | [Verify NimbusPolicy absence in prod namespace](#step-Verify NimbusPolicy absence in prod namespace) | 0 | 1 | 0 | 0 | +| 16 | [Verify NimbusPolicy absence in regional namespace](#step-Verify NimbusPolicy absence in regional namespace) | 0 | 1 | 0 | 0 | ### Step: `1. Create prod, dev, staging Namespaces` @@ -166,16 +165,6 @@ |:-:|---|:-:|:-:|---| | 1 | `script` | 0 | 0 | *No description* | -### Step: `Verify NimbusPolicy absence in dev namespace` - -*No description* - -#### Try - -| # | Operation | Bindings | Outputs | Description | -|:-:|---|:-:|:-:|---| -| 1 | `script` | 0 | 0 | *No description* | - ### Step: `Verify NimbusPolicy absence in prod namespace` *No description* diff --git a/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml index d53368b4..ef23ae1c 100644 --- a/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml +++ b/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml @@ -36,14 +36,14 @@ spec: - name: "Verify NimbusPolicy absence in dev namespace" try: - script: - content: kubectl -n dev get np nimbus-ctrl-gen-escape-to-host + content: kubectl -n dev get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true - name: "Verify NimbusPolicy absence in staging namespace" try: - script: - content: kubectl -n staging get np nimbus-ctrl-gen-escape-to-host + content: kubectl -n staging get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true @@ -65,14 +65,14 @@ spec: - name: "Verify NimbusPolicy absence in dev namespace" try: - script: - content: kubectl -n dev get np nimbus-ctrl-gen-escape-to-host + content: kubectl -n dev get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true - name: "Verify NimbusPolicy absence in prod namespace" try: - script: - content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host + content: kubectl -n prod get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true @@ -89,27 +89,20 @@ spec: - name: "Verify NimbusPolicy absence in dev namespace" try: - script: - content: kubectl -n dev get np nimbus-ctrl-gen-escape-to-host + content: kubectl -n dev get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true - name: "Verify NimbusPolicy absence in prod namespace" try: - script: - content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host - check: - ($error != null): true - - - name: "Verify NimbusPolicy absence in prod namespace" - try: - - script: - content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host + content: kubectl -n prod get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true - name: "Verify NimbusPolicy absence in regional namespace" try: - script: - content: kubectl -n regional get np nimbus-ctrl-gen-escape-to-host + content: kubectl -n regional get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true diff --git a/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-dev-prod-regional-csib.yaml b/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-dev-prod-regional-csib.yaml index 6d009200..770ffa4c 100644 --- a/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-dev-prod-regional-csib.yaml +++ b/tests/controllers/clustersecurityintentbinding/excludename/escape-to-host-dev-prod-regional-csib.yaml @@ -10,7 +10,7 @@ spec: - name: escape-to-host selector: nsSelector: - matchNames: + excludeNames: - dev - prod - regional diff --git a/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml index 81656de0..1c41c472 100644 --- a/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml +++ b/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml @@ -76,7 +76,7 @@ spec: - name: "Verify the NimbusPolicy deletion" try: - script: - content: kubectl -n prod get np nimbus-ctrl-gen-dns-manipulation-binding + content: kubectl -n prod get np nimbus-ctlr-gen-dns-manipulation-binding check: ($error != null): true diff --git a/tests/controllers/clustersecurityintentbinding/matchname/README.md b/tests/controllers/clustersecurityintentbinding/matchname/README.md index 18c4b115..5eb82cfb 100644 --- a/tests/controllers/clustersecurityintentbinding/matchname/README.md +++ b/tests/controllers/clustersecurityintentbinding/matchname/README.md @@ -15,14 +15,13 @@ | 6 | [Verify NimbusPolicy creation in staging namespace](#step-Verify NimbusPolicy creation in staging namespace) | 0 | 1 | 0 | 0 | | 7 | [Verify NimbusPolicy absence in prod](#step-Verify NimbusPolicy absence in prod) | 0 | 1 | 0 | 0 | | 8 | [Delete staging namespace](#step-Delete staging namespace) | 0 | 1 | 0 | 0 | -| 9 | [Verify the NimbusPolicy deletion in staging](#step-Verify the NimbusPolicy deletion in staging) | 0 | 1 | 0 | 0 | -| 10 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | -| 11 | [Verify NimbusPolicy presence in dev namespace](#step-Verify NimbusPolicy presence in dev namespace) | 0 | 1 | 0 | 0 | -| 12 | [Verify NimbusPolicy absence in prod](#step-Verify NimbusPolicy absence in prod) | 0 | 1 | 0 | 0 | -| 13 | [Update the ClusterSecurityIntentBinding to add prod](#step-Update the ClusterSecurityIntentBinding to add prod) | 0 | 1 | 0 | 0 | -| 14 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | -| 15 | [Verify NimbusPolicy presence in dev namespace](#step-Verify NimbusPolicy presence in dev namespace) | 0 | 1 | 0 | 0 | -| 16 | [Verify NimbusPolicy presence in prod namespace](#step-Verify NimbusPolicy presence in prod namespace) | 0 | 1 | 0 | 0 | +| 9 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | +| 10 | [Verify NimbusPolicy presence in dev namespace](#step-Verify NimbusPolicy presence in dev namespace) | 0 | 1 | 0 | 0 | +| 11 | [Verify NimbusPolicy absence in prod](#step-Verify NimbusPolicy absence in prod) | 0 | 1 | 0 | 0 | +| 12 | [Update the ClusterSecurityIntentBinding to add prod](#step-Update the ClusterSecurityIntentBinding to add prod) | 0 | 1 | 0 | 0 | +| 13 | [Verify ClusterNimbusPolicy presence](#step-Verify ClusterNimbusPolicy presence) | 0 | 1 | 0 | 0 | +| 14 | [Verify NimbusPolicy presence in dev namespace](#step-Verify NimbusPolicy presence in dev namespace) | 0 | 1 | 0 | 0 | +| 15 | [Verify NimbusPolicy presence in prod namespace](#step-Verify NimbusPolicy presence in prod namespace) | 0 | 1 | 0 | 0 | ### Step: `Create prod, dev, staging Namespaces` @@ -104,16 +103,6 @@ |:-:|---|:-:|:-:|---| | 1 | `delete` | 0 | 0 | *No description* | -### Step: `Verify the NimbusPolicy deletion in staging` - -*No description* - -#### Try - -| # | Operation | Bindings | Outputs | Description | -|:-:|---|:-:|:-:|---| -| 1 | `script` | 0 | 0 | *No description* | - ### Step: `Verify ClusterNimbusPolicy presence` *No description* diff --git a/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml index 3c878148..c6ace707 100644 --- a/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml +++ b/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml @@ -44,7 +44,7 @@ spec: - name: "Verify NimbusPolicy absence in prod" try: - script: - content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host + content: kubectl -n prod get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true @@ -76,7 +76,7 @@ spec: - name: "Verify NimbusPolicy absence in prod" try: - script: - content: kubectl -n prod get np nimbus-ctrl-gen-escape-to-host + content: kubectl -n prod get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true diff --git a/tests/e2e/dns-manipulation/create/README.md b/tests/e2e/dns-manipulation/create/README.md index ed97e8b3..38246c1b 100644 --- a/tests/e2e/dns-manipulation/create/README.md +++ b/tests/e2e/dns-manipulation/create/README.md @@ -14,8 +14,8 @@ This test validates that creating a `dns-manipulation` SecurityIntent with Secur | 5 | [Verify KubeArmorPolicy creation](#step-Verify KubeArmorPolicy creation) | 0 | 1 | 0 | 0 | | 6 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 0 | 1 | 0 | 0 | | 7 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 0 | 1 | 0 | 0 | -| 8 | [Verify that the corresponding netpol native policy is being updated in the NimbusPolicy status](#step-Verify that the corresponding netpol native policy is being updated in the NimbusPolicy status) | 0 | 1 | 0 | 0 | -| 9 | [Verify that the corresponding kubearmor native policy is being updated in the NimbusPolicy status](#step-Verify that the corresponding kubearmor native policy is being updated in the NimbusPolicy status) | 0 | 1 | 0 | 0 | +| 8 | [Verify that the corresponding NimbusPolicy status has been updated with the generated Network Policy](#step-Verify that the corresponding NimbusPolicy status has been updated with the generated Network Policy) | 0 | 1 | 0 | 0 | +| 9 | [Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy](#step-Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy) | 0 | 1 | 0 | 0 | ### Step: `Create a SecurityIntent` @@ -88,7 +88,7 @@ Verify the created SecurityIntentBinding status subresource includes the number |:-:|---|:-:|:-:|---| | 1 | `assert` | 0 | 0 | *No description* | -### Step: `Verify that the corresponding netpol native policy is being updated in the NimbusPolicy status` +### Step: `Verify that the corresponding NimbusPolicy status has been updated with the generated Network Policy` *No description* @@ -98,7 +98,7 @@ Verify the created SecurityIntentBinding status subresource includes the number |:-:|---|:-:|:-:|---| | 1 | `script` | 0 | 0 | *No description* | -### Step: `Verify that the corresponding kubearmor native policy is being updated in the NimbusPolicy status` +### Step: `Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy` *No description* diff --git a/tests/e2e/dns-manipulation/delete/README.md b/tests/e2e/dns-manipulation/delete/README.md index 655aa098..a999c04a 100644 --- a/tests/e2e/dns-manipulation/delete/README.md +++ b/tests/e2e/dns-manipulation/delete/README.md @@ -1,6 +1,6 @@ # Test: `netpol-kubearmor-adapter-policy-deletion` -This test validates if the adapters re-create their manually deleted generated policyies. +This test validates if the adapters re-create their manually deleted generated policies. ## Steps @@ -11,8 +11,8 @@ This test validates if the adapters re-create their manually deleted generated p | 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | | 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | | 4 | [Verify NetworkPolicy creation](#step-Verify NetworkPolicy creation) | 0 | 1 | 0 | 0 | -| 5 | [Delete existing Netpol](#step-Delete existing Netpol) | 0 | 1 | 0 | 0 | -| 6 | [Verify Netpol recreation](#step-Verify Netpol recreation) | 0 | 1 | 0 | 0 | +| 5 | [Delete existing NetworkPolicy](#step-Delete existing NetworkPolicy) | 0 | 1 | 0 | 0 | +| 6 | [Verify NetworkPolicy recreation](#step-Verify NetworkPolicy recreation) | 0 | 1 | 0 | 0 | | 7 | [Delete existing KubearmorPolicy](#step-Delete existing KubearmorPolicy) | 0 | 1 | 0 | 0 | | 8 | [Verify KubearmorPolicy recreation](#step-Verify KubearmorPolicy recreation) | 0 | 1 | 0 | 0 | @@ -56,7 +56,7 @@ This test validates if the adapters re-create their manually deleted generated p |:-:|---|:-:|:-:|---| | 1 | `assert` | 0 | 0 | *No description* | -### Step: `Delete existing Netpol` +### Step: `Delete existing NetworkPolicy` *No description* @@ -66,7 +66,7 @@ This test validates if the adapters re-create their manually deleted generated p |:-:|---|:-:|:-:|---| | 1 | `delete` | 0 | 0 | *No description* | -### Step: `Verify Netpol recreation` +### Step: `Verify NetworkPolicy recreation` *No description* diff --git a/tests/e2e/dns-manipulation/update/README.md b/tests/e2e/dns-manipulation/update/README.md index 0473c677..04b62a25 100644 --- a/tests/e2e/dns-manipulation/update/README.md +++ b/tests/e2e/dns-manipulation/update/README.md @@ -12,8 +12,8 @@ This test validates that direct updates to the generated adapter's policies are | 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | | 4 | [Verify NetworkPolicy creation](#step-Verify NetworkPolicy creation) | 0 | 1 | 0 | 0 | | 5 | [Verify KubearmorPolicy creation](#step-Verify KubearmorPolicy creation) | 0 | 1 | 0 | 0 | -| 6 | [Update existing Netpol](#step-Update existing Netpol) | 0 | 1 | 0 | 0 | -| 7 | [Verify discarding of the changes made in netpol](#step-Verify discarding of the changes made in netpol) | 0 | 1 | 0 | 0 | +| 6 | [Update existing NetworkPolicy](#step-Update existing NetworkPolicy) | 0 | 1 | 0 | 0 | +| 7 | [Verify discarding of the changes made in NetworkPolicy](#step-Verify discarding of the changes made in NetworkPolicy) | 0 | 1 | 0 | 0 | | 8 | [Update existing KubearmorPolicy](#step-Update existing KubearmorPolicy) | 0 | 1 | 0 | 0 | | 9 | [Verify discarding of the changes made in KubeArmorPolicy](#step-Verify discarding of the changes made in KubeArmorPolicy) | 0 | 1 | 0 | 0 | @@ -67,7 +67,7 @@ This test validates that direct updates to the generated adapter's policies are |:-:|---|:-:|:-:|---| | 1 | `assert` | 0 | 0 | *No description* | -### Step: `Update existing Netpol` +### Step: `Update existing NetworkPolicy` *No description* @@ -77,7 +77,7 @@ This test validates that direct updates to the generated adapter's policies are |:-:|---|:-:|:-:|---| | 1 | `apply` | 0 | 0 | *No description* | -### Step: `Verify discarding of the changes made in netpol` +### Step: `Verify discarding of the changes made in NetworkPolicy` *No description* diff --git a/tests/e2e/escape-to-host-clusterscoped-matchall/cluster-kyverno-policy.yaml b/tests/e2e/escape-to-host-clusterscoped-matchall/cluster-kyverno-policy.yaml new file mode 100644 index 00000000..e796a5f2 --- /dev/null +++ b/tests/e2e/escape-to-host-clusterscoped-matchall/cluster-kyverno-policy.yaml @@ -0,0 +1,49 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + app.kubernetes.io/managed-by: nimbus-kyverno + policies.kyverno.io/description: A attacker can breach container boundaries and + can gain access to the host machine + name: escape-to-host-binding-escapetohost + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterNimbusPolicy + name: escape-to-host-binding +spec: + admission: true + background: true + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + resources: {} + generate: + clone: {} + cloneList: {} + match: + any: + - resources: + kinds: + - v1/Pod + namespaces: + - '*' + selector: + matchLabels: + app: nginx + resources: {} + mutate: {} + name: restricted + skipBackgroundRequests: true + validate: + podSecurity: + level: baseline + version: latest + validationFailureAction: Enforce \ No newline at end of file diff --git a/tests/e2e/escape-to-host-clusterscoped-matchall/create/README.md b/tests/e2e/escape-to-host-clusterscoped-matchall/create/README.md new file mode 100644 index 00000000..e31e2bd7 --- /dev/null +++ b/tests/e2e/escape-to-host-clusterscoped-matchall/create/README.md @@ -0,0 +1,131 @@ +# Test: `escape-to-host-clusterscoped-matchall-adapter-policy-creation` + +This test validates that creating a `escapeToHost` SecurityIntent with ClusterSecurityIntentBinding with a matchNames of "*" generates the expected cluster Kyverno Policy, and kubearmor policies in all the namespaces in the cluster except kube-system + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create the dev, staging namespaces ](#step-Create the dev, staging namespaces ) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 3 | [Create a ClusterSecurityIntentBinding](#step-Create a ClusterSecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 4 | [Verify ClusterNimbusPolicy creation](#step-Verify ClusterNimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Verify Nimbus Policy creation in dev](#step-Verify Nimbus Policy creation in dev) | 0 | 1 | 0 | 0 | +| 6 | [Verify Nimbus Policy creation in staging](#step-Verify Nimbus Policy creation in staging) | 0 | 1 | 0 | 0 | +| 7 | [Verify Nimbus Policy creation in default](#step-Verify Nimbus Policy creation in default) | 0 | 1 | 0 | 0 | +| 8 | [Verify NimbusPolicy absence in kube-system](#step-Verify NimbusPolicy absence in kube-system) | 0 | 1 | 0 | 0 | +| 9 | [Verify Cluster KyvernoPolicy creation](#step-Verify Cluster KyvernoPolicy creation) | 0 | 1 | 0 | 0 | +| 10 | [Verify spec, status of created ClusterSecurityIntentBinding](#step-Verify spec, status of created ClusterSecurityIntentBinding) | 0 | 2 | 2 | 0 | + +### Step: `Create the dev, staging namespaces ` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a ClusterSecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify ClusterNimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify Nimbus Policy creation in dev` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify Nimbus Policy creation in staging` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify Nimbus Policy creation in default` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy absence in kube-system` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify Cluster KyvernoPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify spec, status of created ClusterSecurityIntentBinding` + +Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, along with the generated NimbusPolicy name. + + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 1 | *No description* | +| 2 | `assert` | 0 | 0 | *No description* | + +#### Catch + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | +| 2 | `script` | 0 | 0 | *No description* | + +--- + diff --git a/tests/e2e/escape-to-host-clusterscoped-matchall/create/chainsaw-test.yaml b/tests/e2e/escape-to-host-clusterscoped-matchall/create/chainsaw-test.yaml new file mode 100644 index 00000000..33ae84f2 --- /dev/null +++ b/tests/e2e/escape-to-host-clusterscoped-matchall/create/chainsaw-test.yaml @@ -0,0 +1,91 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: escape-to-host-clusterscoped-matchall-adapter-policy-creation +spec: + description: > + This test validates that creating a `escapeToHost` SecurityIntent with ClusterSecurityIntentBinding with a matchNames of "*" generates the expected cluster Kyverno Policy, and kubearmor policies in all the namespaces in the cluster except kube-system + steps: + - name: "Create the dev, staging namespaces " + try: + - apply: + file: ../ns.yaml + - assert: + file: ../ns.yaml + + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/escape-to-host-si.yaml + + - name: "Create a ClusterSecurityIntentBinding" + try: + - apply: + file: ../../resources/clusterscoped/escape-to-host-csib-match-all.yaml + + - name: "Verify ClusterNimbusPolicy creation" + try: + - assert: + file: ../cwnp-assert.yaml + + - name: "Verify Nimbus Policy creation in dev" + try: + - assert: + file: ../nimbus-policy-assert-ns-dev.yaml + + - name: "Verify Nimbus Policy creation in staging" + try: + - assert: + file: ../nimbus-policy-assert-ns-staging.yaml + + - name: "Verify Nimbus Policy creation in default" + try: + - assert: + file: ../nimbus-policy-assert-ns-default.yaml + + - name: "Verify NimbusPolicy absence in kube-system" + try: + - script: + content: kubectl -n kube-system get np nimbus-ctlr-gen-escape-to-host-binding + check: + ($error != null): true + + - name: "Verify Cluster KyvernoPolicy creation" + try: + - assert: + file: ../cluster-kyverno-policy.yaml + catch: + - script: + content: kubectl get cpol escape-to-host-binding-escapetohost -o yaml + + - name: "Verify spec, status of created ClusterSecurityIntentBinding" + description: > + Verify that created ClusterSecurityIntentBinding status subresource includes the number and names of + bound intents, along with the names of generated NimbusPolicy. + try: + - assert: + file: ../csib-assert.yaml + - script: + content: kubectl get csib escape-to-host-binding -o=jsonpath='{.status.nimbusPolicyNamespaces}' + check: + (contains($stdout, 'default')): true + - script: + content: kubectl get csib escape-to-host-binding -o=jsonpath='{.status.nimbusPolicyNamespaces}' + check: + (contains($stdout, 'dev')): true + - script: + content: kubectl get csib escape-to-host-binding -o=jsonpath='{.status.nimbusPolicyNamespaces}' + check: + (contains($stdout, 'staging')): true + - script: + content: kubectl get csib escape-to-host-binding -o=jsonpath='{.status.nimbusPolicyNamespaces}' + check: + (contains($stdout, 'kube-system')): false + catch: + - script: + content: kubectl get ns + - script: + content: kubectl get csib escape-to-host-binding -o yaml diff --git a/tests/e2e/escape-to-host-clusterscoped-matchall/csib-assert.yaml b/tests/e2e/escape-to-host-clusterscoped-matchall/csib-assert.yaml new file mode 100644 index 00000000..64a15f86 --- /dev/null +++ b/tests/e2e/escape-to-host-clusterscoped-matchall/csib-assert.yaml @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: escape-to-host-binding +spec: + intents: + - name: escape-to-host + selector: + nsSelector: + matchNames: + - '*' + workloadSelector: + matchLabels: + app: nginx +status: + boundIntents: + - escape-to-host + clusterNimbusPolicy: escape-to-host-binding + numberOfBoundIntents: 1 + status: Created diff --git a/tests/e2e/escape-to-host-clusterscoped-matchall/cwnp-assert.yaml b/tests/e2e/escape-to-host-clusterscoped-matchall/cwnp-assert.yaml new file mode 100644 index 00000000..81bbf50c --- /dev/null +++ b/tests/e2e/escape-to-host-clusterscoped-matchall/cwnp-assert.yaml @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterNimbusPolicy +metadata: + name: escape-to-host-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host-binding +spec: + rules: + - description: A attacker can breach container boundaries and can gain access to + the host machine + id: escapeToHost + rule: + action: Block + nodeSelector: {} + nsSelector: + matchNames: + - '*' + workloadSelector: + matchLabels: + app: nginx +status: + adapterPolicies: + - KyvernoClusterPolicy/escape-to-host-binding-escapetohost + numberOfAdapterPolicies: 1 + status: Created diff --git a/tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-default.yaml b/tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-default.yaml new file mode 100644 index 00000000..3f56aaeb --- /dev/null +++ b/tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-default.yaml @@ -0,0 +1,31 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host-binding + namespace: default + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host-binding +spec: + rules: + - description: A attacker can breach container boundaries and can gain access + to the host machine + id: escapeToHost + rule: + action: Block + selector: + matchLabels: + app: nginx +status: + adapterPolicies: + - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowchroot + - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowcapabilities + - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-swdeploymenttools + numberOfAdapterPolicies: 3 + status: Created \ No newline at end of file diff --git a/tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-dev.yaml b/tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-dev.yaml new file mode 100644 index 00000000..485af096 --- /dev/null +++ b/tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-dev.yaml @@ -0,0 +1,31 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host-binding + namespace: dev + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host-binding +spec: + rules: + - description: A attacker can breach container boundaries and can gain access + to the host machine + id: escapeToHost + rule: + action: Block + selector: + matchLabels: + app: nginx +status: + adapterPolicies: + - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowchroot + - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowcapabilities + - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-swdeploymenttools + numberOfAdapterPolicies: 3 + status: Created diff --git a/tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-staging.yaml b/tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-staging.yaml new file mode 100644 index 00000000..aa0e0848 --- /dev/null +++ b/tests/e2e/escape-to-host-clusterscoped-matchall/nimbus-policy-assert-ns-staging.yaml @@ -0,0 +1,31 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: nimbus-ctlr-gen-escape-to-host-binding + namespace: staging + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: ClusterSecurityIntentBinding + name: escape-to-host-binding +spec: + rules: + - description: A attacker can breach container boundaries and can gain access + to the host machine + id: escapeToHost + rule: + action: Block + selector: + matchLabels: + app: nginx +status: + adapterPolicies: + - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowchroot + - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-disallowcapabilities + - KubeArmorPolicy/nimbus-ctlr-gen-escape-to-host-binding-escapetohost-swdeploymenttools + numberOfAdapterPolicies: 3 + status: Created diff --git a/tests/e2e/escape-to-host-clusterscoped-matchall/ns.yaml b/tests/e2e/escape-to-host-clusterscoped-matchall/ns.yaml new file mode 100644 index 00000000..c6f19a16 --- /dev/null +++ b/tests/e2e/escape-to-host-clusterscoped-matchall/ns.yaml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of Nimbus + +apiVersion: v1 +kind: Namespace +metadata: + name: dev +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging \ No newline at end of file diff --git a/tests/e2e/resources/clusterscoped/escape-to-host-csib-match-all.yaml b/tests/e2e/resources/clusterscoped/escape-to-host-csib-match-all.yaml new file mode 100644 index 00000000..d3b6935a --- /dev/null +++ b/tests/e2e/resources/clusterscoped/escape-to-host-csib-match-all.yaml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: ClusterSecurityIntentBinding +metadata: + name: escape-to-host-binding +spec: + intents: + - name: escape-to-host + selector: + nsSelector: + matchNames: + - "*" + workloadSelector: + matchLabels: + app: nginx