From 3b1d0f96dd85a35149f90d2a3a58589b56a4567f Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Thu, 2 May 2024 20:01:01 +0530 Subject: [PATCH] added chainsaw tests for nimbus-kyverno-adapter Signed-off-by: Ved Ratan --- .../controllers/nimbuspolicy/delete/README.md | 69 ++++++------ .../controllers/nimbuspolicy/update/README.md | 69 ++++++------ tests/controllers/securityintent/README.md | 33 +++--- .../securityintentbinding/create/README.md | 69 ++++++------ .../securityintentbinding/delete/README.md | 57 +++++----- .../securityintentbinding/update/README.md | 57 +++++----- .../controllers/sis-and-sibs/create/README.md | 81 +++++++------- .../controllers/sis-and-sibs/delete/README.md | 81 +++++++------- .../controllers/sis-and-sibs/update/README.md | 105 +++++++++--------- tests/e2e/escape-to-host/create/README.md | 90 +++++++++++++++ .../escape-to-host/create/chainsaw-test.yaml | 52 +++++++++ tests/e2e/escape-to-host/delete/README.md | 78 +++++++++++++ .../escape-to-host/delete/chainsaw-test.yaml | 52 +++++++++ tests/e2e/escape-to-host/kyverno-policy.yaml | 40 +++++++ .../escape-to-host/nimbus-policy-assert.yaml | 23 ++++ .../e2e/escape-to-host/np-status-assert.yaml | 16 +++ .../e2e/escape-to-host/sib-status-assert.yaml | 13 +++ tests/e2e/escape-to-host/update/README.md | 78 +++++++++++++ .../escape-to-host/update/chainsaw-test.yaml | 42 +++++++ .../updated-kyverno-policy.yaml | 34 ++++++ .../namespaced/escape-to-host-si.yaml | 12 ++ .../namespaced/escape-to-host-sib.yaml | 17 +++ 22 files changed, 871 insertions(+), 297 deletions(-) create mode 100644 tests/e2e/escape-to-host/create/README.md create mode 100644 tests/e2e/escape-to-host/create/chainsaw-test.yaml create mode 100644 tests/e2e/escape-to-host/delete/README.md create mode 100644 tests/e2e/escape-to-host/delete/chainsaw-test.yaml create mode 100644 tests/e2e/escape-to-host/kyverno-policy.yaml create mode 100644 tests/e2e/escape-to-host/nimbus-policy-assert.yaml create mode 100644 tests/e2e/escape-to-host/np-status-assert.yaml create mode 100644 tests/e2e/escape-to-host/sib-status-assert.yaml create mode 100644 tests/e2e/escape-to-host/update/README.md create mode 100644 tests/e2e/escape-to-host/update/chainsaw-test.yaml create mode 100644 tests/e2e/escape-to-host/updated-kyverno-policy.yaml create mode 100644 tests/e2e/resources/namespaced/escape-to-host-si.yaml create mode 100644 tests/e2e/resources/namespaced/escape-to-host-sib.yaml diff --git a/tests/controllers/nimbuspolicy/delete/README.md b/tests/controllers/nimbuspolicy/delete/README.md index 579076a0..c3fb5eac 100644 --- a/tests/controllers/nimbuspolicy/delete/README.md +++ b/tests/controllers/nimbuspolicy/delete/README.md @@ -3,62 +3,65 @@ This test validates that when a NimbusPolicy is directly deleted, nimbus automatically re-creates the deleted NimbusPolicy or not. -### Steps +## Steps -| # | Name | Try | Catch | Finally | -|:-:|---|:-:|:-:|:-:| -| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | -| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 | -| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 1 | 0 | 0 | -| 4 | [Delete existing NimbusPolicy](#step-Delete existing NimbusPolicy) | 1 | 0 | 0 | -| 5 | [Verify NimbusPolicy recreation](#step-Verify NimbusPolicy recreation) | 1 | 0 | 0 | +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Delete existing NimbusPolicy](#step-Delete existing NimbusPolicy) | 0 | 1 | 0 | 0 | +| 5 | [Verify NimbusPolicy recreation](#step-Verify NimbusPolicy recreation) | 0 | 1 | 0 | 0 | -## Step: `Create a SecurityIntent` +### Step: `Create a SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Create a SecurityIntentBinding` +### Step: `Create a SecurityIntentBinding` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verity NimbusPolicy creation` +### Step: `Verity NimbusPolicy creation` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Delete existing NimbusPolicy` +### Step: `Delete existing NimbusPolicy` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `delete` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `delete` | 0 | 0 | *No description* | -## Step: `Verify NimbusPolicy recreation` +### Step: `Verify NimbusPolicy recreation` *No description* -### Try +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | diff --git a/tests/controllers/nimbuspolicy/update/README.md b/tests/controllers/nimbuspolicy/update/README.md index a7341ff3..b4618d41 100644 --- a/tests/controllers/nimbuspolicy/update/README.md +++ b/tests/controllers/nimbuspolicy/update/README.md @@ -3,62 +3,65 @@ This test validates that direct updates to a NimbusPolicy resource are ignored, to maintain consistency and prevent unintended modifications. -### Steps +## Steps -| # | Name | Try | Catch | Finally | -|:-:|---|:-:|:-:|:-:| -| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | -| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 | -| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 1 | 0 | 0 | -| 4 | [Update existing NimbusPolicy](#step-Update existing NimbusPolicy) | 1 | 0 | 0 | -| 5 | [Verify discarding of changes to NimbusPolicy](#step-Verify discarding of changes to NimbusPolicy) | 1 | 0 | 0 | +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Update existing NimbusPolicy](#step-Update existing NimbusPolicy) | 0 | 1 | 0 | 0 | +| 5 | [Verify discarding of changes to NimbusPolicy](#step-Verify discarding of changes to NimbusPolicy) | 0 | 1 | 0 | 0 | -## Step: `Create a SecurityIntent` +### Step: `Create a SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Create a SecurityIntentBinding` +### Step: `Create a SecurityIntentBinding` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verity NimbusPolicy creation` +### Step: `Verity NimbusPolicy creation` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Update existing NimbusPolicy` +### Step: `Update existing NimbusPolicy` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verify discarding of changes to NimbusPolicy` +### Step: `Verify discarding of changes to NimbusPolicy` *No description* -### Try +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | diff --git a/tests/controllers/securityintent/README.md b/tests/controllers/securityintent/README.md index cfbeb4b4..6234ccde 100644 --- a/tests/controllers/securityintent/README.md +++ b/tests/controllers/securityintent/README.md @@ -3,29 +3,32 @@ This test validates that the created SecurityIntent status subresource contains the ID and action fields with the corresponding intent values. -### Steps +## Steps -| # | Name | Try | Catch | Finally | -|:-:|---|:-:|:-:|:-:| -| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | -| 2 | [Verify status of created SecurityIntent](#step-Verify status of created SecurityIntent) | 1 | 0 | 0 | +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Verify status of created SecurityIntent](#step-Verify status of created SecurityIntent) | 0 | 1 | 0 | 0 | -## Step: `Create a SecurityIntent` +### Step: `Create a SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verify status of created SecurityIntent` +### Step: `Verify status of created SecurityIntent` *No description* -### Try +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | diff --git a/tests/controllers/securityintentbinding/create/README.md b/tests/controllers/securityintentbinding/create/README.md index 054b5c43..34bcf274 100644 --- a/tests/controllers/securityintentbinding/create/README.md +++ b/tests/controllers/securityintentbinding/create/README.md @@ -3,63 +3,66 @@ This test validates the automated creation of a NimbusPolicy resource when a corresponding SecurityIntent and SecurityIntentBinding are created. -### Steps +## Steps -| # | Name | Try | Catch | Finally | -|:-:|---|:-:|:-:|:-:| -| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | -| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 | -| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 1 | 0 | 0 | -| 4 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 1 | 0 | 0 | -| 5 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 1 | 0 | 0 | +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 5 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 0 | 1 | 0 | 0 | -## Step: `Create a SecurityIntent` +### Step: `Create a SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Create a SecurityIntentBinding` +### Step: `Create a SecurityIntentBinding` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verity NimbusPolicy creation` +### Step: `Verity NimbusPolicy creation` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Verify status of created SecurityIntentBinding` +### Step: `Verify status of created SecurityIntentBinding` Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, along with the generated NimbusPolicy name. -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Verify status of created NimbusPolicy` +### Step: `Verify status of created NimbusPolicy` *No description* -### Try +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | diff --git a/tests/controllers/securityintentbinding/delete/README.md b/tests/controllers/securityintentbinding/delete/README.md index 549e4de6..9b589cd6 100644 --- a/tests/controllers/securityintentbinding/delete/README.md +++ b/tests/controllers/securityintentbinding/delete/README.md @@ -3,51 +3,54 @@ This test validates the expected behavior of NimbusPolicy deletion upon the removal of a corresponding SecurityIntentBinding resource. -### Steps +## Steps -| # | Name | Try | Catch | Finally | -|:-:|---|:-:|:-:|:-:| -| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | -| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 | -| 3 | [Delete existing SecurityIntentBinding](#step-Delete existing SecurityIntentBinding) | 1 | 0 | 0 | -| 4 | [Verify the NimbusPolicy deletion](#step-Verify the NimbusPolicy deletion) | 1 | 0 | 0 | +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Delete existing SecurityIntentBinding](#step-Delete existing SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 4 | [Verify the NimbusPolicy deletion](#step-Verify the NimbusPolicy deletion) | 0 | 1 | 0 | 0 | -## Step: `Create a SecurityIntent` +### Step: `Create a SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Create a SecurityIntentBinding` +### Step: `Create a SecurityIntentBinding` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Delete existing SecurityIntentBinding` +### Step: `Delete existing SecurityIntentBinding` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `delete` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `delete` | 0 | 0 | *No description* | -## Step: `Verify the NimbusPolicy deletion` +### Step: `Verify the NimbusPolicy deletion` *No description* -### Try +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +--- -| # | Operation | Description | -|:-:|---|---| -| 1 | `script` | *No description* | diff --git a/tests/controllers/securityintentbinding/update/README.md b/tests/controllers/securityintentbinding/update/README.md index 32fd9790..584cc692 100644 --- a/tests/controllers/securityintentbinding/update/README.md +++ b/tests/controllers/securityintentbinding/update/README.md @@ -2,51 +2,54 @@ This test validates the propagation of changes from a SecurityIntentBinding to the corresponding NimbusPolicy. -### Steps +## Steps -| # | Name | Try | Catch | Finally | -|:-:|---|:-:|:-:|:-:| -| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | -| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 | -| 3 | [Update existing SecurityIntentBinding](#step-Update existing SecurityIntentBinding) | 1 | 0 | 0 | -| 4 | [Verify the NimbusPolicy update](#step-Verify the NimbusPolicy update) | 1 | 0 | 0 | +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Update existing SecurityIntentBinding](#step-Update existing SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 4 | [Verify the NimbusPolicy update](#step-Verify the NimbusPolicy update) | 0 | 1 | 0 | 0 | -## Step: `Create a SecurityIntent` +### Step: `Create a SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Create a SecurityIntentBinding` +### Step: `Create a SecurityIntentBinding` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Update existing SecurityIntentBinding` +### Step: `Update existing SecurityIntentBinding` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verify the NimbusPolicy update` +### Step: `Verify the NimbusPolicy update` *No description* -### Try +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | diff --git a/tests/controllers/sis-and-sibs/create/README.md b/tests/controllers/sis-and-sibs/create/README.md index a4315f51..a1754fd2 100644 --- a/tests/controllers/sis-and-sibs/create/README.md +++ b/tests/controllers/sis-and-sibs/create/README.md @@ -3,74 +3,77 @@ This test verifies the independent creation of SecurityIntent and SecurityIntentBinding custom resources. It ensures users can create these custom resources individually without requiring one to exist beforehand. -### Steps +## Steps -| # | Name | Try | Catch | Finally | -|:-:|---|:-:|:-:|:-:| -| 1 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 | -| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | -| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 1 | 0 | 0 | -| 4 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 1 | 0 | 0 | -| 5 | [Verify status of created SecurityIntent](#step-Verify status of created SecurityIntent) | 1 | 0 | 0 | -| 6 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 1 | 0 | 0 | +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 5 | [Verify status of created SecurityIntent](#step-Verify status of created SecurityIntent) | 0 | 1 | 0 | 0 | +| 6 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 0 | 1 | 0 | 0 | -## Step: `Create a SecurityIntentBinding` +### Step: `Create a SecurityIntentBinding` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Create a SecurityIntent` +### Step: `Create a SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verity NimbusPolicy creation` +### Step: `Verity NimbusPolicy creation` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Verify status of created SecurityIntentBinding` +### Step: `Verify status of created SecurityIntentBinding` Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, along with the generated NimbusPolicy name. -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Verify status of created SecurityIntent` +### Step: `Verify status of created SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Verify status of created NimbusPolicy` +### Step: `Verify status of created NimbusPolicy` *No description* -### Try +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | diff --git a/tests/controllers/sis-and-sibs/delete/README.md b/tests/controllers/sis-and-sibs/delete/README.md index 99a45920..6d6e86ca 100644 --- a/tests/controllers/sis-and-sibs/delete/README.md +++ b/tests/controllers/sis-and-sibs/delete/README.md @@ -3,74 +3,77 @@ This test verifies that when a SecurityIntent is the only one referenced by a SecurityIntentBinding, and that SecurityIntent is deleted, the corresponding NimbusPolicy is also automatically deleted. -### Steps +## Steps -| # | Name | Try | Catch | Finally | -|:-:|---|:-:|:-:|:-:| -| 1 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 | -| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | -| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 1 | 0 | 0 | -| 4 | [Delete previously created SecurityIntent](#step-Delete previously created SecurityIntent) | 1 | 0 | 0 | -| 5 | [Verify the NimbusPolicy deletion](#step-Verify the NimbusPolicy deletion) | 1 | 0 | 0 | -| 6 | [Verify status of SecurityIntentBinding](#step-Verify status of SecurityIntentBinding) | 1 | 0 | 0 | +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Delete previously created SecurityIntent](#step-Delete previously created SecurityIntent) | 0 | 1 | 0 | 0 | +| 5 | [Verify the NimbusPolicy deletion](#step-Verify the NimbusPolicy deletion) | 0 | 1 | 0 | 0 | +| 6 | [Verify status of SecurityIntentBinding](#step-Verify status of SecurityIntentBinding) | 0 | 1 | 0 | 0 | -## Step: `Create a SecurityIntentBinding` +### Step: `Create a SecurityIntentBinding` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Create a SecurityIntent` +### Step: `Create a SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verify NimbusPolicy creation` +### Step: `Verify NimbusPolicy creation` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Delete previously created SecurityIntent` +### Step: `Delete previously created SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `delete` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `delete` | 0 | 0 | *No description* | -## Step: `Verify the NimbusPolicy deletion` +### Step: `Verify the NimbusPolicy deletion` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `script` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | -## Step: `Verify status of SecurityIntentBinding` +### Step: `Verify status of SecurityIntentBinding` This verifies that upon deletion of a NimbusPolicy, the corresponding SecurityIntentBinding's status subresource is updated to reflect the current information. -### Try +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | diff --git a/tests/controllers/sis-and-sibs/update/README.md b/tests/controllers/sis-and-sibs/update/README.md index c6959bc3..39fd926b 100644 --- a/tests/controllers/sis-and-sibs/update/README.md +++ b/tests/controllers/sis-and-sibs/update/README.md @@ -3,96 +3,99 @@ This test verifies that modifying a SecurityIntent triggers the desired updates in corresponding SecurityIntentBinding's status subresource and related NimbusPolicy. -### Steps +## Steps -| # | Name | Try | Catch | Finally | -|:-:|---|:-:|:-:|:-:| -| 1 | [Create a SecurityIntentBinding for multiple SecurityIntents](#step-Create a SecurityIntentBinding for multiple SecurityIntents) | 1 | 0 | 0 | -| 2 | [Create multiple SecurityIntents](#step-Create multiple SecurityIntents) | 1 | 0 | 0 | -| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 1 | 0 | 0 | -| 4 | [Update one SecurityIntent](#step-Update one SecurityIntent) | 1 | 0 | 0 | -| 5 | [Verify NimbusPolicy update](#step-Verify NimbusPolicy update) | 1 | 0 | 0 | -| 6 | [Update SecurityIntentBinding to remove one SecurityIntent](#step-Update SecurityIntentBinding to remove one SecurityIntent) | 1 | 0 | 0 | -| 7 | [Verify the NimbusPolicy update after removal of SecurityIntent](#step-Verify the NimbusPolicy update after removal of SecurityIntent) | 1 | 0 | 0 | -| 8 | [Verify status of SecurityIntentBinding after update](#step-Verify status of SecurityIntentBinding after update) | 1 | 0 | 0 | +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntentBinding for multiple SecurityIntents](#step-Create a SecurityIntentBinding for multiple SecurityIntents) | 0 | 1 | 0 | 0 | +| 2 | [Create multiple SecurityIntents](#step-Create multiple SecurityIntents) | 0 | 1 | 0 | 0 | +| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Update one SecurityIntent](#step-Update one SecurityIntent) | 0 | 1 | 0 | 0 | +| 5 | [Verify NimbusPolicy update](#step-Verify NimbusPolicy update) | 0 | 1 | 0 | 0 | +| 6 | [Update SecurityIntentBinding to remove one SecurityIntent](#step-Update SecurityIntentBinding to remove one SecurityIntent) | 0 | 1 | 0 | 0 | +| 7 | [Verify the NimbusPolicy update after removal of SecurityIntent](#step-Verify the NimbusPolicy update after removal of SecurityIntent) | 0 | 1 | 0 | 0 | +| 8 | [Verify status of SecurityIntentBinding after update](#step-Verify status of SecurityIntentBinding after update) | 0 | 1 | 0 | 0 | -## Step: `Create a SecurityIntentBinding for multiple SecurityIntents` +### Step: `Create a SecurityIntentBinding for multiple SecurityIntents` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Create multiple SecurityIntents` +### Step: `Create multiple SecurityIntents` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verity NimbusPolicy creation` +### Step: `Verity NimbusPolicy creation` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Update one SecurityIntent` +### Step: `Update one SecurityIntent` Update the action of one of the previously created SecurityIntents -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verify NimbusPolicy update` +### Step: `Verify NimbusPolicy update` Verify the update of rule.action for corresponding SecurityIntent update -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Update SecurityIntentBinding to remove one SecurityIntent` +### Step: `Update SecurityIntentBinding to remove one SecurityIntent` Remove one of the previously created SecurityIntents from the SecurityIntentBinding -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `apply` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | -## Step: `Verify the NimbusPolicy update after removal of SecurityIntent` +### Step: `Verify the NimbusPolicy update after removal of SecurityIntent` *No description* -### Try +#### Try -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | -## Step: `Verify status of SecurityIntentBinding after update` +### Step: `Verify status of SecurityIntentBinding after update` This verifies that upon deletion of a NimbusPolicy, the corresponding SecurityIntentBinding's status subresource is updated to reflect the current information. -### Try +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- -| # | Operation | Description | -|:-:|---|---| -| 1 | `assert` | *No description* | diff --git a/tests/e2e/escape-to-host/create/README.md b/tests/e2e/escape-to-host/create/README.md new file mode 100644 index 00000000..9c5f0e1c --- /dev/null +++ b/tests/e2e/escape-to-host/create/README.md @@ -0,0 +1,90 @@ +# Test: `kyverno-adapter-policy-creation` + +This test validates that creating a `escapeToHost` SecurityIntent with SecurityIntentBinding generates the expected Kyverno Policy. + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Verify KyvernoPolicy creation](#step-Verify KyvernoPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 6 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 0 | 1 | 0 | 0 | +| 7 | [Verify that the corresponding NimbusPolicy status has been updated with the generated Kyverno Policy](#step-Verify that the corresponding NimbusPolicy status has been updated with the generated Kyverno Policy) | 0 | 1 | 0 | 0 | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify KyvernoPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify status of created SecurityIntentBinding` + +Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, along with the generated NimbusPolicy name. + + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify status of created NimbusPolicy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify that the corresponding NimbusPolicy status has been updated with the generated Kyverno Policy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +--- + diff --git a/tests/e2e/escape-to-host/create/chainsaw-test.yaml b/tests/e2e/escape-to-host/create/chainsaw-test.yaml new file mode 100644 index 00000000..0f337001 --- /dev/null +++ b/tests/e2e/escape-to-host/create/chainsaw-test.yaml @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-adapter-policy-creation +spec: + description: > + This test validates that creating a `escapeToHost` SecurityIntent with SecurityIntentBinding generates the expected Kyverno Policy. + steps: + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/escape-to-host-si.yaml + + - name: "Create a SecurityIntentBinding" + try: + - apply: + file: ../../resources/namespaced/escape-to-host-sib.yaml + + - name: "Verify NimbusPolicy creation" + try: + - assert: + file: ../nimbus-policy-assert.yaml + + - name: "Verify KyvernoPolicy creation" + try: + - assert: + file: ../kyverno-policy.yaml + + - name: "Verify status of created SecurityIntentBinding" + description: > + Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, + along with the generated NimbusPolicy name. + try: + - assert: + file: ../sib-status-assert.yaml + + - name: "Verify status of created NimbusPolicy" + try: + - assert: + file: ../np-status-assert.yaml + + - name: "Verify that the corresponding NimbusPolicy status has been updated with the generated Kyverno Policy" + try: + - script: + content: kubectl get np -n $NAMESPACE escape-to-host-binding -o=jsonpath='{.status.adapterPolicies}' + check: + (contains($stdout, 'KyvernoPolicy/escape-to-host-binding-escapetohost')): true + + diff --git a/tests/e2e/escape-to-host/delete/README.md b/tests/e2e/escape-to-host/delete/README.md new file mode 100644 index 00000000..e967db64 --- /dev/null +++ b/tests/e2e/escape-to-host/delete/README.md @@ -0,0 +1,78 @@ +# Test: `kyverno-adapter-policy-deletion` + +This test validates if the adapters re-create their manually deleted generated policies. + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Verify KyvernoPolicy creation](#step-Verify KyvernoPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Delete existing KyvernoPolicy](#step-Delete existing KyvernoPolicy) | 0 | 1 | 0 | 0 | +| 6 | [Verify KyvernoPolicy recreation](#step-Verify KyvernoPolicy recreation) | 0 | 1 | 0 | 0 | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify KyvernoPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Delete existing KyvernoPolicy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `delete` | 0 | 0 | *No description* | + +### Step: `Verify KyvernoPolicy recreation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- + diff --git a/tests/e2e/escape-to-host/delete/chainsaw-test.yaml b/tests/e2e/escape-to-host/delete/chainsaw-test.yaml new file mode 100644 index 00000000..bfefa704 --- /dev/null +++ b/tests/e2e/escape-to-host/delete/chainsaw-test.yaml @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-adapter-policy-deletion +spec: + description: > + This test validates if the adapters re-create their manually deleted generated policies. + steps: + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/escape-to-host-si.yaml + + - name: "Create a SecurityIntentBinding" + try: + - apply: + file: ../../resources/namespaced/escape-to-host-sib.yaml + + - name: "Verify NimbusPolicy creation" + try: + - assert: + file: ../nimbus-policy-assert.yaml + + - name: "Verify KyvernoPolicy creation" + try: + - assert: + file: ../kyverno-policy.yaml + + - name: "Delete existing KyvernoPolicy" + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: Policy + name: escape-to-host-binding-escapetohost + expect: + - match: + apiVersion: kyverno.io/v1 + kind: Policy + name: escape-to-host-binding-escapetohost + check: + ($error != null): true + + - name: "Verify KyvernoPolicy recreation" + try: + - assert: + file: ../kyverno-policy.yaml + + diff --git a/tests/e2e/escape-to-host/kyverno-policy.yaml b/tests/e2e/escape-to-host/kyverno-policy.yaml new file mode 100644 index 00000000..531981ff --- /dev/null +++ b/tests/e2e/escape-to-host/kyverno-policy.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + annotations: + app.kubernetes.io/managed-by: nimbus-kyverno + policies.kyverno.io/description: A attacker can breach container boundaries + and can gain access to the host machine + name: escape-to-host-binding-escapetohost + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: NimbusPolicy + name: escape-to-host-binding +spec: + admission: true + background: true + rules: + - exclude: + resources: {} + generate: + clone: {} + cloneList: {} + match: + any: + - resources: + kinds: + - v1/Pod + selector: + matchLabels: + app: nginx + resources: {} + mutate: {} + name: restricted + skipBackgroundRequests: true + validate: + podSecurity: + level: baseline + version: latest + validationFailureAction: Enforce \ No newline at end of file diff --git a/tests/e2e/escape-to-host/nimbus-policy-assert.yaml b/tests/e2e/escape-to-host/nimbus-policy-assert.yaml new file mode 100644 index 00000000..f0708fe7 --- /dev/null +++ b/tests/e2e/escape-to-host/nimbus-policy-assert.yaml @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: NimbusPolicy +metadata: + name: escape-to-host-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: escape-to-host-binding +spec: + rules: + - description: A attacker can breach container boundaries and can gain access + to the host machine + id: escapeToHost + rule: + action: Block + selector: + matchLabels: + app: nginx diff --git a/tests/e2e/escape-to-host/np-status-assert.yaml b/tests/e2e/escape-to-host/np-status-assert.yaml new file mode 100644 index 00000000..006f190e --- /dev/null +++ b/tests/e2e/escape-to-host/np-status-assert.yaml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: NimbusPolicy +metadata: + name: escape-to-host-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: escape-to-host-binding +status: + numberOfAdapterPolicies: 4 + status: Created diff --git a/tests/e2e/escape-to-host/sib-status-assert.yaml b/tests/e2e/escape-to-host/sib-status-assert.yaml new file mode 100644 index 00000000..592f2c08 --- /dev/null +++ b/tests/e2e/escape-to-host/sib-status-assert.yaml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: escape-to-host-binding +status: + boundIntents: + - escape-to-host + nimbusPolicy: escape-to-host-binding + numberOfBoundIntents: 1 + status: Created \ No newline at end of file diff --git a/tests/e2e/escape-to-host/update/README.md b/tests/e2e/escape-to-host/update/README.md new file mode 100644 index 00000000..d3b6a5f8 --- /dev/null +++ b/tests/e2e/escape-to-host/update/README.md @@ -0,0 +1,78 @@ +# Test: `kyverno-adapter-policy-updation` + +This test validates that direct updates to the generated adapter's policies are discarded, to maintain consistency and prevent unintended modifications. + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Verify KyvernoPolicy creation](#step-Verify KyvernoPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Update existing KyvernoPolicy](#step-Update existing KyvernoPolicy) | 0 | 1 | 0 | 0 | +| 6 | [Verify discarding of the changes made in KyvernoPolicy](#step-Verify discarding of the changes made in KyvernoPolicy) | 0 | 1 | 0 | 0 | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify KyvernoPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Update existing KyvernoPolicy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify discarding of the changes made in KyvernoPolicy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- + diff --git a/tests/e2e/escape-to-host/update/chainsaw-test.yaml b/tests/e2e/escape-to-host/update/chainsaw-test.yaml new file mode 100644 index 00000000..daf77253 --- /dev/null +++ b/tests/e2e/escape-to-host/update/chainsaw-test.yaml @@ -0,0 +1,42 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-adapter-policy-updation +spec: + description: > + This test validates that direct updates to the generated adapter's policies are discarded, to maintain consistency and prevent unintended modifications. + steps: + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/escape-to-host-si.yaml + + - name: "Create a SecurityIntentBinding" + try: + - apply: + file: ../../resources/namespaced/escape-to-host-sib.yaml + + - name: "Verify NimbusPolicy creation" + try: + - assert: + file: ../nimbus-policy-assert.yaml + + - name: "Verify KyvernoPolicy creation" + try: + - assert: + file: ../kyverno-policy.yaml + + + - name: "Update existing KyvernoPolicy" + try: + - apply: + file: ../updated-kyverno-policy.yaml + + - name: "Verify discarding of the changes made in KyvernoPolicy" + try: + - assert: + file: ../kyverno-policy.yaml + diff --git a/tests/e2e/escape-to-host/updated-kyverno-policy.yaml b/tests/e2e/escape-to-host/updated-kyverno-policy.yaml new file mode 100644 index 00000000..fd534dbf --- /dev/null +++ b/tests/e2e/escape-to-host/updated-kyverno-policy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + annotations: + app.kubernetes.io/managed-by: nimbus-kyverno + policies.kyverno.io/description: A attacker can breach container boundaries + and can gain access to the host machine + name: escape-to-host-binding-escapetohost +spec: + admission: true + background: true + rules: + - exclude: + resources: {} + generate: + clone: {} + cloneList: {} + match: + any: + - resources: + kinds: + - v1/Pod + selector: + matchLabels: + env: prod + resources: {} + mutate: {} + name: restricted + skipBackgroundRequests: true + validate: + podSecurity: + level: baseline + version: latest + validationFailureAction: Enforce \ No newline at end of file diff --git a/tests/e2e/resources/namespaced/escape-to-host-si.yaml b/tests/e2e/resources/namespaced/escape-to-host-si.yaml new file mode 100644 index 00000000..206da8e6 --- /dev/null +++ b/tests/e2e/resources/namespaced/escape-to-host-si.yaml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: escape-to-host +spec: + intent: + id: escapeToHost + description: "A attacker can breach container boundaries and can gain access to the host machine" + action: Block \ No newline at end of file diff --git a/tests/e2e/resources/namespaced/escape-to-host-sib.yaml b/tests/e2e/resources/namespaced/escape-to-host-sib.yaml new file mode 100644 index 00000000..231803c2 --- /dev/null +++ b/tests/e2e/resources/namespaced/escape-to-host-sib.yaml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: escape-to-host-binding +spec: + intents: + - name: escape-to-host + selector: + any: + - resources: + kind: Pod + namespace: default + matchLabels: + app: nginx