Skip to content

Commit 4c51d98

Browse files
slashbenslashben
authored
Merge pull request #22 from suhasgumma/C-0077
ValidatingAdmissionPolicy for C-0077
2 parents 1cd23ff + 214e0e3 commit 4c51d98

6 files changed

+161
-0
lines changed

controls/C-0077/policy.yaml

+61
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
apiVersion: admissionregistration.k8s.io/v1alpha1
2+
kind: ValidatingAdmissionPolicy
3+
metadata:
4+
name: "kubescape-c-0077-deny-resources-without-configured-list-of-k8s-common-labels-not-set"
5+
spec:
6+
failurePolicy: Fail
7+
paramKind:
8+
apiVersion: kubescape.io/v1
9+
kind: ControlConfiguration
10+
matchConstraints:
11+
resourceRules:
12+
- apiGroups: [""]
13+
apiVersions: ["v1"]
14+
operations: ["CREATE", "UPDATE"]
15+
resources: ["pods"]
16+
- apiGroups: ["apps"]
17+
apiVersions: ["v1"]
18+
operations: ["CREATE", "UPDATE"]
19+
resources: ["deployments","replicasets","daemonsets","statefulsets"]
20+
- apiGroups: ["batch"]
21+
apiVersions: ["v1"]
22+
operations: ["CREATE", "UPDATE"]
23+
resources: ["jobs","cronjobs"]
24+
validations:
25+
- expression: >
26+
object.kind != 'Pod' ||
27+
(
28+
has(object.metadata.labels) &&
29+
!(object.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all(
30+
labelInList, labelInList != label
31+
)))
32+
)
33+
message: "Pod doesn't have any k8s common label from the configured list! (see more at https://hub.armosec.io/docs/c-0077)"
34+
- expression: >
35+
['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
36+
(
37+
has(object.metadata.labels) &&
38+
!(object.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all(
39+
labelInList, labelInList != label
40+
))) &&
41+
has(object.spec.template.metadata) &&
42+
has(object.spec.template.metadata.labels) &&
43+
!(object.spec.template.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all(
44+
labelInList, labelInList != label
45+
)))
46+
)
47+
message: "Workload or Pod in workload doesn't have any k8s common label from the configured list! (see more at https://hub.armosec.io/docs/c-0077)"
48+
- expression: >
49+
object.kind != 'CronJob' ||
50+
(
51+
has(object.metadata.labels) &&
52+
!(object.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all(
53+
labelInList, labelInList != label
54+
))) &&
55+
has(object.spec.jobTemplate.metadata) &&
56+
has(object.spec.jobTemplate.metadata.labels) &&
57+
!(object.spec.jobTemplate.metadata.labels.all(label, params.settings.k8sRecommendedLabels.all(
58+
labelInList, labelInList != label
59+
)))
60+
)
61+
message: "CronJob or Pod in workload doesn't have any k8s common label from the configured list! (see more at https://hub.armosec.io/docs/c-0077)"

controls/C-0077/tests.json

+45
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
[
2+
{
3+
"name": "Pod without one of configured common labels is blocked",
4+
"template": "pod.yaml",
5+
"expected": "fail",
6+
"field_change_list": [
7+
]
8+
},
9+
{
10+
"name": "Pod with label \"app.kubernetes.io/name\" is allowed",
11+
"template": "pod-for-list-items.yaml",
12+
"expected": "pass",
13+
"field_change_list": [
14+
]
15+
},
16+
{
17+
"name": "Deployment and its PodSpec without one of configured common labels is blocked",
18+
"template": "deployment.yaml",
19+
"expected": "fail",
20+
"field_change_list": [
21+
]
22+
},
23+
{
24+
"name": "Deployment with label \"app.kubernetes.io/name\" and its PodSpec without one of configured common labels is blocked",
25+
"template": "deployment-with-common-label-1.yaml",
26+
"expected": "fail",
27+
"field_change_list": [
28+
]
29+
},
30+
{
31+
"name": "Deployment without one of configured common labels and its PodSpec with label \"app.kubernetes.io/name\" is blocked",
32+
"template": "deployment-with-common-label-2.yaml",
33+
"expected": "fail",
34+
"field_change_list": [
35+
]
36+
},
37+
{
38+
"name": "Deployment and PodSpec with label \"app.kubernetes.io/name\" is allowed",
39+
"template": "deployment-for-list-items.yaml",
40+
"expected": "pass",
41+
"field_change_list": [
42+
]
43+
}
44+
45+
]

test-resources/deployment-for-list-items.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ metadata:
44
name: test-deployment
55
labels:
66
admission-policy-test: abc
7+
app.kubernetes.io/name: myApp
78
spec:
89
replicas: 1
910
selector:
@@ -13,6 +14,7 @@ spec:
1314
metadata:
1415
labels:
1516
app: test-deployment
17+
app.kubernetes.io/name: myApp
1618
spec:
1719
containers:
1820
- name: sleep

test-resources/deployment-with-common-label-1.yaml

+26
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
apiVersion: apps/v1
2+
kind: Deployment
3+
metadata:
4+
name: test-deployment
5+
labels:
6+
admission-policy-test: abc
7+
app.kubernetes.io/name: myApp
8+
spec:
9+
replicas: 1
10+
selector:
11+
matchLabels:
12+
app: test-deployment
13+
template:
14+
metadata:
15+
labels:
16+
app: test-deployment
17+
spec:
18+
containers:
19+
- name: sleep
20+
image: alpine
21+
command: ["sudo","sh"]
22+
args: ["-c", "while true; do sleep 1; done"]
23+
securityContext:
24+
capabilities:
25+
add:
26+
- SYS_ADM

test-resources/deployment-with-common-label-2.yaml

+26
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
apiVersion: apps/v1
2+
kind: Deployment
3+
metadata:
4+
name: test-deployment
5+
labels:
6+
admission-policy-test: abc
7+
spec:
8+
replicas: 1
9+
selector:
10+
matchLabels:
11+
app: test-deployment
12+
template:
13+
metadata:
14+
labels:
15+
app: test-deployment
16+
app.kubernetes.io/name: myApp
17+
spec:
18+
containers:
19+
- name: sleep
20+
image: alpine
21+
command: ["sudo","sh"]
22+
args: ["-c", "while true; do sleep 1; done"]
23+
securityContext:
24+
capabilities:
25+
add:
26+
- SYS_ADM

test-resources/pod-for-list-items.yaml

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ metadata:
44
name: test-pod
55
labels:
66
admission-policy-test: abc
7+
app.kubernetes.io/name: myApp
78
spec:
89
containers:
910
- name: sleep

0 commit comments

Comments
 (0)