Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add best practices policies in CEL expressions #925

Merged
merged 69 commits into from
Jun 3, 2024
Merged

feat: add best practices policies in CEL expressions #925

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
69 commits
Select commit Hold shift + click to select a range
747b0e8
copy restrict-node-port
Chandan-DK Mar 6, 2024
9a4eca2
convert restrict-node-port to cel
Chandan-DK Mar 6, 2024
c87dea8
move resource files to test folders to avoid cross referencing
Chandan-DK Mar 6, 2024
66550fb
copy require-labels
Chandan-DK Mar 6, 2024
a19e614
convert require-labels to cel
Chandan-DK Mar 6, 2024
793c146
copy restrict-service-external-ips
Chandan-DK Mar 6, 2024
7a0fc6a
convert restrict-service-external-ips to cel
Chandan-DK Mar 7, 2024
2466c52
copy require-ro-rootfs
Chandan-DK Mar 7, 2024
8ca2823
convert require-ro-rootfs to cel
Chandan-DK Mar 7, 2024
cc534a2
copy restrict-image-registries
Chandan-DK Mar 7, 2024
70c4712
convert restrict-image-registries to cel
Chandan-DK Mar 7, 2024
9cbc613
copy disallow-latest-tag
Chandan-DK Mar 7, 2024
7266245
convert disallow-latest-tag to cel
Chandan-DK Mar 7, 2024
56680c9
copy disallow-default-namespace
Chandan-DK Mar 8, 2024
deefeee
convert disallow-default-namespace to cel
Chandan-DK Mar 8, 2024
c0b203a
copy disallow-helm-tiller
Chandan-DK Mar 8, 2024
2908df9
convert disallow-helm-tiller to cel
Chandan-DK Mar 8, 2024
5291e6d
Merge branch 'main' into convert-best-practices-to-cel
Chandan-DK Mar 9, 2024
cc5a3da
copy disallow-empty-ingress-host
Chandan-DK Mar 9, 2024
13f8cb5
set original disallow-empty-ingress-host to Audit
Chandan-DK Mar 9, 2024
b29888f
convert disallow-empty-ingress-host to cel
Chandan-DK Mar 9, 2024
1347c26
patch cel policy to set it to Enforce in chainsaw test
Chandan-DK Mar 9, 2024
638431a
fix: update semantically wrong chainsaw test resources in original re…
Chandan-DK Mar 10, 2024
c1cf234
copy require-drop-all
Chandan-DK Mar 10, 2024
625ee8e
convert require-drop-all to cel
Chandan-DK Mar 10, 2024
0283264
update workflow to test policies in best-practices-cel folder
Chandan-DK Mar 10, 2024
e206f7c
fix duplicate container names in require-probes chainsaw test
Chandan-DK Mar 10, 2024
c3b399e
copy require-probes
Chandan-DK Mar 10, 2024
13f20c0
convert require-probes to cel
Chandan-DK Mar 10, 2024
3405d61
require-ro-rootfs: fix selector does not match template labels
Chandan-DK Mar 14, 2024
6f0f536
require-ro-rootfs: fix duplicate container names
Chandan-DK Mar 14, 2024
28a0b2b
disallow-helm-tiller: fix invalid container naming
Chandan-DK Mar 14, 2024
4deb30c
require-labels: fix selector does not match template labels
Chandan-DK Mar 14, 2024
1ee5e25
restrict-image-registries: fix selector does not match template labels
Chandan-DK Mar 14, 2024
9527da4
Merge branch 'main' into convert-best-practices-to-cel
Chandan-DK Mar 14, 2024
e809be1
rename file for clarity
Chandan-DK Mar 14, 2024
62fc668
copy disallow-cri-sock-mount
Chandan-DK Mar 14, 2024
f26b1b2
convert disallow-cri-sock-mount to cel
Chandan-DK Mar 14, 2024
9579075
remove duplicate expressins in require-drop-all
Chandan-DK Mar 14, 2024
46574a1
rename file for clarity
Chandan-DK Mar 14, 2024
2d25227
require-drop-cap-net-raw: fix duplicate container names
Chandan-DK Mar 14, 2024
de2993a
copy require-drop-cap-net-raw
Chandan-DK Mar 14, 2024
057814d
rename pods to distinguish them
Chandan-DK Mar 15, 2024
618b7c8
convert require-drop-cap-net-raw to cel
Chandan-DK Mar 15, 2024
1fc12c0
copy require-pod-requests-limits
Chandan-DK Mar 15, 2024
fdb9a00
convert require-pod-requests-limits to cel
Chandan-DK Mar 15, 2024
ffe9192
rename files for clarity
Chandan-DK Mar 15, 2024
f3f84ec
add new line at end of file where not present
Chandan-DK Mar 15, 2024
42808ba
calculate digests
Chandan-DK Mar 15, 2024
c13bf5a
add new lines
Chandan-DK Mar 15, 2024
6298f7e
update digests
Chandan-DK Mar 15, 2024
b71dc85
remove celPreconditions until it behaves as expected
Chandan-DK Mar 15, 2024
8bef250
update digests
Chandan-DK Mar 15, 2024
48675be
remove wrong test step
Chandan-DK Mar 16, 2024
8c6b717
Merge branch 'main' into convert-best-practices-to-cel
chipzoller Mar 18, 2024
db6f0a4
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 Mar 25, 2024
51a0c3e
use variables to remove duplicate logic
Chandan-DK Mar 25, 2024
cc3be8a
remove unnecessary whitespace in require-ro-rootfs
Chandan-DK Mar 26, 2024
734f9f2
use namespaceObject variable
Chandan-DK Mar 26, 2024
9f493ed
Combine expressions into 1 rule to generate VAPs
Chandan-DK Apr 4, 2024
8e133b7
copy kyverno tests for disallow-default-namespace
Chandan-DK Apr 19, 2024
bc57d09
Merge branch 'main' into convert-best-practices-to-cel
Chandan-DK Apr 19, 2024
044a419
Merge branch 'main' into convert-best-practices-to-cel
JimBugwadia May 15, 2024
bb48b70
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 16, 2024
6a71ee2
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 16, 2024
cad31da
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 22, 2024
3cda1d5
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 May 30, 2024
d6ad7cd
fix issue caused in cel policies tests due to chainsaw templating
Chandan-DK May 30, 2024
8ca2e18
Merge branch 'main' into convert-best-practices-to-cel
MariamFahmy98 Jun 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,4 @@ spec:
file: pod-emptydir-vol.yaml
- apply:
file: pod-no-volumes.yaml

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/good-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ spec:
- name: data
hostPath:
path: /data

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-containerd-sock.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ spec:
- name: dockersock
hostPath:
path: /var/run/containerd/containerd.sock

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-cri-dockerd-sock.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ spec:
- name: dockersock
hostPath:
path: /var/run/cri-dockerd.sock

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-crio-sock.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ spec:
- name: dockersock
hostPath:
path: /var/run/crio/crio.sock

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-docker-sock.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ spec:
- name: dockersock
hostPath:
path: /var/run/docker.sock

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ spec:
volumes:
- name: mydir
emptyDir: {}

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,4 @@ spec:
command:
- sleep
- "3600"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ metadata:
name: disallow-container-sock-mounts
status:
ready: true

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.kyverno-test/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ results:
- goodpod01
result: pass
rule: validate-socket-mounts

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/.kyverno-test/resource.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,4 @@ spec:
- name: data
hostPath:
path: /data

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/artifacthub-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,4 @@ annotations:
kyverno/subject: "Pod"
digest: 13b89552586f92ba707fbb1b4daf9751acb28e3eb7cfd5d85ef1c799665e22c5
createdAt: "2024-03-14T15:59:52Z"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,4 @@ spec:
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/cri-dockerd.sock'))
message: "Use of the Docker CRI socket is not allowed."

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,4 @@ spec:
- check:
($error != null): true
file: deploy-default.yaml

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.chainsaw-test/deploy-default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ spec:
command:
- "sleep"
- "3000"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.chainsaw-test/ds-default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,4 @@ spec:
command:
- "sleep"
- "3000"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.chainsaw-test/good-resources.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,3 +95,4 @@ spec:
command:
- "sleep"
- "3000"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.chainsaw-test/job-default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ spec:
- "sleep"
- "3000"
restartPolicy: Never

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.chainsaw-test/ns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ apiVersion: v1
kind: Namespace
metadata:
name: not-default-ns

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.chainsaw-test/pod-default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,4 @@ spec:
command:
- "sleep"
- "3000"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.chainsaw-test/policy-ready.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ metadata:
name: disallow-default-namespace
status:
ready: true

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.chainsaw-test/ss-default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ spec:
command:
- "sleep"
- "3000"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.kyverno-test/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,4 @@ results:
- gooddeployment01
result: pass
rule: validate-podcontroller-namespace

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/.kyverno-test/resource.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,3 +64,4 @@ spec:
- image: busybox:1.28
name: busybox
command: ["sleep", "9999"]

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/artifacthub-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ annotations:
kyverno/subject: "Pod"
digest: 32bf42d3e6ee89012153c823e3b52e78ac561b6a7dd6e588643228501ae14cad
createdAt: "2024-03-08T06:15:05Z"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,4 @@ spec:
expressions:
- expression: "object.metadata.namespace != 'default'"
message: "Using 'default' namespace is not allowed for pod controllers."

1 change: 1 addition & 0 deletions best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,4 @@ spec:
- check:
($error != null): true
file: no-host-success-first.yaml

1 change: 1 addition & 0 deletions best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/good-ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,4 @@ spec:
name: service2
port:
number: 80

1 change: 1 addition & 0 deletions best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-fail-first.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,4 @@ spec:
name: service2
port:
number: 80

1 change: 1 addition & 0 deletions best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ spec:
name: test
port:
number: 80

1 change: 1 addition & 0 deletions best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-success-first.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,4 @@ spec:
name: service2
port:
number: 80

1 change: 1 addition & 0 deletions best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ metadata:
name: disallow-empty-ingress-host
status:
ready: true

1 change: 1 addition & 0 deletions best-practices-cel/disallow-empty-ingress-host/.kyverno-test/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ results:
- ingress-wildcard-host
result: pass
rule: disallow-empty-ingress-host

1 change: 1 addition & 0 deletions best-practices-cel/disallow-empty-ingress-host/.kyverno-test/resource.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,4 @@ spec:
name: test
port:
number: 80

1 change: 1 addition & 0 deletions best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ annotations:
kyverno/subject: "Ingress"
digest: 9cb3d5814cea4a34de185ce8fd469762a83ef93b910e70b2e6a9ec953e65448c
createdAt: "2024-03-09T14:19:51Z"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ spec:
name: busybox
- image: docker.io/tiller:latest
name: helm-tiller

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ spec:
image: docker.io/tiller:latest
- name: somebox
image: busybox:1.35

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ spec:
image: busybox:1.35
- name: helm-tiller
image: docker.io/tiller:latest

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ spec:
containers:
- name: helm-tiller
image: docker.io/tiller:latest

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,4 @@ spec:
- check:
($error != null): true
file: bad-pod-success-first.yaml

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,4 @@ spec:
- image: busybox:v1.35
name: busybox
command: ["sleep", "3600"]

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ spec:
image: busybox:v1.35
- name: nothelmbox
image: busybox:v1.35

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ metadata:
name: disallow-helm-tiller
status:
ready: true

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.kyverno-test/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,4 @@ results:
- goodpod02
result: pass
rule: validate-helm-tiller

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/.kyverno-test/resource.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,3 +80,4 @@ spec:
containers:
- image: docker.io/tiller:latest
name: helm-tiller

1 change: 1 addition & 0 deletions best-practices-cel/disallow-helm-tiller/artifacthub-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ annotations:
kyverno/subject: "Pod"
digest: 68bd8e1cf068759dc436032f3bcb1204992b84ba33498ffd76b744329976769e
createdAt: "2024-03-08T06:30:37Z"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ spec:
image: busybox:latest
- name: nginx
image: nginx:1.35

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ spec:
image: nginx:1.35
- name: busybox
image: busybox:latest

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,4 @@ spec:
image: busybox
- name: nginx
image: nginx:latest

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,4 @@ spec:
- check:
($error != null): true
file: bad-pod-no-tag.yaml

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/.chainsaw-test/good-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ spec:
containers:
- name: busybox
image: busybox:v1.35

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/.chainsaw-test/policy-ready.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ metadata:
name: disallow-latest-tag
status:
ready: true

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/.kyverno-test/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,4 @@ results:
- myapp-pod
result: pass
rule: validate-image-tag

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/.kyverno-test/resource.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,3 +119,4 @@ spec:
- image: busybox:latest
name: busybox
command: ["sleep", "9999"]

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/artifacthub-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ annotations:
kyverno/subject: "Pod"
digest: 53f55b5f8e66068be9c7db000ca45ce3e66cadd4ab8c4cbab5e07eaa9736b551
createdAt: "2024-03-07T20:17:11Z"

1 change: 1 addition & 0 deletions best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml
View file
Open in desktop
Chandan-DK marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,4 @@ spec:
expressions:
- expression: "object.spec.containers.all(container, !container.image.endsWith(':latest'))"
message: "Using a mutable image tag e.g. 'latest' is not allowed."

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-containers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,4 @@ spec:
add: ["SYS_TIME"]
drop:
- ALL

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-corner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,4 @@ spec:
- ALL
- name: init-again
image: busybox:1.35

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,4 @@ spec:
add: ["SYS_TIME"]
drop:
- ALL

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,3 +151,4 @@ spec:
- ALL
- name: add-capabilities-again
image: busybox:1.35

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,4 @@ spec:
- check:
($error != null): true
file: bad-podcontrollers.yaml

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.chainsaw-test/good-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,4 @@ spec:
add: ["SYS_TIME"]
drop:
- ALL

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.chainsaw-test/good-podcontrollers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,4 @@ spec:
add: ["SYS_TIME"]
drop:
- ALL

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.chainsaw-test/policy-ready.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ metadata:
name: drop-all-capabilities
status:
ready: true

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.kyverno-test/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ results:
- add-capabilities
result: pass
rule: require-drop-all

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/.kyverno-test/resource.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,4 @@ spec:
add: ["SYS_TIME"]
drop:
- ALL

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/artifacthub-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ annotations:
kyverno/subject: "Pod"
digest: 1261431a3050aa2ef8958728e13655e6570046366ed22d0b5a62d45c2584fe0a
createdAt: "2024-03-10T05:05:42Z"

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-all/require-drop-all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,4 @@ spec:
has(container.securityContext.capabilities.drop) &&
container.securityContext.capabilities.drop.exists(capability, capability.upperAscii() == 'ALL'))
message: "Containers must drop `ALL` capabilities."

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,4 @@ spec:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,4 @@ spec:
- CAP_NET_RAW
- name: init-again
image: busybox:1.35

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,4 @@ spec:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,3 +151,4 @@ spec:
- CAP_NET_RAW
- name: add-capabilities-again
image: busybox:1.35

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,4 @@ spec:
- check:
($error != null): true
file: bad-podcontrollers.yaml

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,4 @@ spec:
capabilities:
drop:
- CAP_NET_RAW

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,4 @@ spec:
add: ["SYS_TIME"]
drop:
- CAP_NET_RAW

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ metadata:
name: drop-cap-net-raw
status:
ready: true

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.kyverno-test/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,4 @@ results:
- drop-good
result: pass
rule: require-drop-cap-net-raw

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/.kyverno-test/resource.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,4 @@ spec:
containers:
- name: add-capabilities
image: gcr.io/google-samples/node-hello:1.0

1 change: 1 addition & 0 deletions best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ annotations:
kyverno/subject: "Pod"
digest: 7825bfca95447946cecd4b65b758f1045fd5770eced2fb20e8f8a443bc27598a
createdAt: "2024-03-15T03:05:47Z"

1 change: 1 addition & 0 deletions best-practices-cel/require-labels/.chainsaw-test/bad-pod-nolabel.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ spec:
containers:
- name: busybox
image: busybox:1.35

Loading