Add mutation policies for some Pod Security Standards controls

pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: set-privilege-escalation
+status:
+  ready: true

pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: set-privilege-escalation
+spec:
+  steps:
+    - name: step-01
+      try:
+        - apply:
+            file: ../set-privilege-escalation.yaml
+        - patch:
+            resource:
+              apiVersion: kyverno.io/v1
+              kind: ClusterPolicy
+              metadata:
+                name: set-privilege-escalation
+              spec:
+                validationFailureAction: Enforce
+        - assert:
+            file: chainsaw-step-01-assert-1.yaml
+    - name: step-02
+      try:
+        - apply:
+            file: pod-bad.yaml
+        - assert:
+            file: pod-bad-assert.yaml

pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad-assert.yaml

@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod03
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+  - name: container02
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod04
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+  - name: container02
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod05
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: busybox:1.35
+  containers:
+  - name: container01
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod06
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: busybox:1.35
+  - name: initcontainer02
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+  containers:
+  - name: container01
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+---

pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad.yaml

@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod03
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+  - name: container02
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod04
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: true
+  - name: container02
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod05
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: busybox:1.35
+  containers:
+  - name: container01
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod06
+spec:
+  initContainers:
+  - name: initcontainer01
+    image: busybox:1.35
+  - name: initcontainer02
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: true
+  containers:
+  - name: container01
+    image: busybox:1.35
+    securityContext:
+      allowPrivilegeEscalation: false
+---

pod-security/mutate/set-privilege-escalation/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,45 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: set-privilege-escalation
+policies:
+- ../set-privilege-escalation.yaml
+resources:
+- resource.yaml
+results:
+- policy: set-privilege-escalation
+  rule: set-containers-privilege-escalation-to-false
+  kind: Pod
+  resource: badpod01
+  patchedResource: patched-resource-01.yaml
+  result: skip
+- policy: set-privilege-escalation
+  rule: set-containers-privilege-escalation-to-false
+  kind: Pod
+  resource: badpod02
+  patchedResource: patched-resource-02.yaml
+  result: pass
+- policy: set-privilege-escalation
+  rule: set-containers-privilege-escalation-to-false
+  kind: Pod
+  resource: badpod03
+  patchedResource: patched-resource-03.yaml
+  result: skip
+- policy: set-privilege-escalation
+  rule: set-containers-privilege-escalation-to-false
+  kind: Pod
+  resource: badpod04
+  patchedResource: patched-resource-04.yaml
+  result: pass
+- policy: set-privilege-escalation
+  rule: set-containers-privilege-escalation-to-false
+  kind: Pod
+  resource: badpod05
+  patchedResource: patched-resource-05.yaml
+  result: skip
+- policy: set-privilege-escalation
+  rule: set-initContainers-privilege-escalation-to-false
+  kind: Pod
+  resource: badpod06
+  patchedResource: patched-resource-06.yaml
+  result: pass

pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-01.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+    - name: container01
+      image: dummyimagename

pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-02.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  containers:
+    - name: container01
+      image: dummyimagename
+      securityContext:
+        allowPrivilegeEscalation: false

pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-03.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod03
+spec:
+  containers:
+    - name: container01
+      image: dummyimagename
+    - name: container02
+      image: dummyimagename
+      securityContext:
+        allowPrivilegeEscalation: false

pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-04.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod04
+spec:
+  containers:
+    - name: container01
+      image: dummyimagename
+      securityContext:
+        allowPrivilegeEscalation: false
+    - name: container02
+      image: dummyimagename
+      securityContext:
+        allowPrivilegeEscalation: false

pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-05.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod05
+spec:
+  initContainers:
+    - name: initcontainer01
+      image: dummyimagename
+  containers:
+    - name: container01
+      image: dummyimagename
+      securityContext:
+        allowPrivilegeEscalation: false

pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-06.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod06
+spec:
+  initContainers:
+    - name: initcontainer01
+      image: dummyimagename
+    - name: initcontainer02
+      image: dummyimagename
+      securityContext:
+        allowPrivilegeEscalation: false
+  containers:
+    - name: container01
+      image: dummyimagename
+      securityContext:
+        allowPrivilegeEscalation: false