feat: add other policies in CEL expressions - Part 5

.github/workflows/test.yml

@@ -53,6 +53,7 @@ jobs:
           - ^other$/^re[c-q]
           - ^other$/^res
           - ^other$/^[s-z]
+          - ^other-cel$/^res
           - ^pod-security$
           - ^pod-security-cel$
           - ^psa$

other-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,39 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-annotations
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../restrict-annotations.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: restrict-annotations
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pod-bad.yaml
+    - apply:
+        file: podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: podcontroller-bad.yaml
+

other-cel/restrict-annotations/.chainsaw-test/pod-bad.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    fluxcd.io/foo: bar
+  name: badpod01
+spec:
+  containers:
+    - name: busybox
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    bar: foo
+    fluxcd.io/foo: bar
+    foo: bar
+  name: badpod02
+spec:
+  containers:
+    - name: busybox
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    bar: foo
+    fluxcd.io/hello: bar
+    foo: bar
+  name: badpod03
+spec:
+  containers:
+    - name: busybox
+      image: busybox:1.35
+

other-cel/restrict-annotations/.chainsaw-test/pod-good.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  containers:
+    - name: busybox
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    bar: foo
+    flux.io/foo: bar
+    foo: bar
+  name: goodpod02
+spec:
+  containers:
+    - name: busybox
+      image: busybox:1.35
+

other-cel/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    fluxcd.io/foo: bar
+  labels:
+    app: busybox
+  name: baddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  annotations:
+    foo: bar
+    fluxcd.io/foo: bar
+    bar: foo
+  name: badcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: busybox
+            image: busybox:1.35
+          restartPolicy: OnFailure
+

other-cel/restrict-annotations/.chainsaw-test/podcontroller-good.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    flux.io/foo: bar
+  labels:
+    app: busybox
+  name: gooddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  annotations:
+    foo: bar
+  name: goodcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: busybox
+            image: busybox:1.35
+          restartPolicy: OnFailure
+

other-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,7 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-annotations
+status:
+  ready: true
+

other-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-annotations
+policies:
+- ../restrict-annotations.yaml
+resources:
+- resource.yaml
+results:
+- kind: Deployment
+  policy: restrict-annotations
+  resources:
+  - mydeploy
+  result: fail
+  rule: block-flux-v1
+- kind: Pod
+  policy: restrict-annotations
+  resources:
+  - myapp-pod
+  result: fail
+  rule: block-flux-v1
+- kind: CronJob
+  policy: restrict-annotations
+  resources:
+  - hello
+  result: pass
+  rule: block-flux-v1
+

other-cel/restrict-annotations/.kyverno-test/resource.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: myapp
+  name: myapp-pod
+  annotations:
+    fluxcd.io/title: Annotation for pods
+spec:
+  containers:
+  - image: nginx
+    name: myapp-pod
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: myapp
+  name: mydeploy
+  annotations:
+    fluxcd.io/title: Annotation for deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: hello
+  annotations:
+    gauss.io/title: Annotation for CronJob
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: hello
+            image: busybox
+          restartPolicy: OnFailure
+

other-cel/restrict-annotations/artifacthub-pkg.yml

@@ -0,0 +1,24 @@
+name: restrict-annotations-cel
+version: 1.0.0
+displayName: Restrict Annotations in CEL expressions
+description: >-
+  Some annotations control functionality driven by other cluster-wide tools and are not normally set by some class of users. This policy prevents the use of an annotation beginning with `fluxcd.io/`. This can be useful to ensure users either don't set reserved annotations or to force them to use a newer version of an annotation.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-annotations/restrict-annotations.yaml
+  ```
+keywords:
+  - kyverno
+  - Sample
+  - CEL Expressions
+readme: |
+  Some annotations control functionality driven by other cluster-wide tools and are not normally set by some class of users. This policy prevents the use of an annotation beginning with `fluxcd.io/`. This can be useful to ensure users either don't set reserved annotations or to force them to use a newer version of an annotation.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Sample in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Pod, Annotation"
+digest: 55b4953e1ca6aa6038d407aae539705d9a8c1136d2ffc277df1686a08ac7c9a8
+createdAt: "2024-04-12T15:55:04Z"
+

other-cel/restrict-annotations/restrict-annotations.yaml

@@ -0,0 +1,37 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-annotations
+  annotations:
+    policies.kyverno.io/title: Restrict Annotations in CEL expressions
+    policies.kyverno.io/category: Sample in CEL 
+    policies.kyverno.io/minversion: 1.11.0
+    policies.kyverno.io/subject: Pod, Annotation
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/description: >-
+      Some annotations control functionality driven by other cluster-wide tools and are not
+      normally set by some class of users. This policy prevents the use of an annotation beginning
+      with `fluxcd.io/`. This can be useful to ensure users either
+      don't set reserved annotations or to force them to use a newer version of an annotation.
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: block-flux-v1
+    match:
+      any:
+      - resources:
+          kinds:
+          - Deployment
+          - CronJob
+          - Job
+          - StatefulSet
+          - DaemonSet
+          - Pod
+    validate:
+      cel:
+        expressions:
+          - expression: "!has(object.metadata.annotations) || !object.metadata.annotations.exists(annotation, annotation.startsWith('fluxcd.io/'))"
+            message: Cannot use Flux v1 annotation.
+

other-cel/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,39 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-binding-clusteradmin
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../restrict-binding-clusteradmin.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: restrict-binding-clusteradmin
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: rb-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: rb-bad.yaml
+    - apply:
+        file: crb-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: crb-bad.yaml
+