Add Ephemeral Credentials TTL Validator Policy

.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,85 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: TestCase
+metadata:
+  name: simple-ttl-validator
+policies:
+  - ../simple-policy.yaml
+resources:
+  - ../test-compliant-secret.yaml
+  - ../test-non-compliant-secret.yaml
+  - ../test-partial-compliance-secret.yaml
+results:
+  - policy: simple-ttl-validator
+    rule: require-ttl-annotation
+    resource: test-secret-with-ttl
+    kind: Secret
+    result: pass
+  - policy: simple-ttl-validator
+    rule: require-ttl-annotation
+    resource: test-secret-no-ttl
+    kind: Secret
+    result: fail
+  - policy: simple-ttl-validator
+    rule: require-ttl-annotation
+    resource: test-secret-invalid-ttl
+    kind: Secret
+    result: pass # It has the annotation, even though the format is invalid
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: simple-ttl-validator
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: require-ttl-annotation
+      match:
+        any:
+        - resources:
+            kinds:
+              - Secret
+      exclude:
+        any:
+        - resources:
+            namespaces:
+              - kube-system
+              - kube-public
+      validate:
+        message: "Secret must have a TTL annotation."
+        pattern:
+          metadata:
+            annotations:
+              "secrets.kubernetes.io/ttl": "?*"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret-with-ttl
+  annotations:
+    secrets.kubernetes.io/ttl: "24h"
+type: Opaque
+data:
+  username: YWRtaW4=  # admin
+  password: cGFzc3dvcmQxMjM=  # password123
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret-no-ttl
+  # No TTL annotation present
+type: Opaque
+data:
+  username: YWRtaW4=  # admin
+  password: cGFzc3dvcmQxMjM=  # password123
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret-invalid-ttl
+  annotations:
+    secrets.kubernetes.io/ttl: "invalid-format"  # Invalid format, should be a duration
+type: Opaque
+data:
+  username: YWRtaW4=  # admin
+  password: cGFzc3dvcmQxMjM=  # password123 

security/ephemeral-credentials-validator/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,41 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: simple-ttl-validator
+spec:
+  # Define the steps of the Chainsaw test
+  steps:
+  # Step 1: Apply the TTL validator policy
+  - name: apply-policy
+    try:
+    - apply:
+        file: simple-policy.yaml
+    assert:
+    - check:
+        kind: ClusterPolicy
+        name: simple-ttl-validator
+        namespace: ""
+
+  # Step 2: Test with a compliant secret (with TTL annotation)
+  - name: test-compliant-secret
+    try:
+    - apply:
+        file: test-compliant-secret.yaml
+    assert:
+    - check:
+        kind: Secret
+        name: test-secret-with-ttl
+        namespace: default
+
+  # Step 3: Test with a non-compliant secret (without TTL annotation)
+  - name: test-non-compliant-secret
+    try:
+    - apply:
+        file: test-non-compliant-secret.yaml
+    assert:
+    - check:
+        kind: Secret
+        name: test-secret-no-ttl
+        namespace: default
+        expectedValidation:
+          messageRegex: "Secret must have a TTL annotation" 

security/ephemeral-credentials-validator/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,8 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: simple-ttl-validator
+status:
+  conditions:
+    - type: Ready
+      status: "True" 

security/ephemeral-credentials-validator/.chainsaw.yaml

@@ -0,0 +1,14 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/configuration-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Configuration
+metadata:
+  name: simple-ttl-validator-config
+spec:
+  parallel: 1
+  failFast: true
+  namespace:
+    createNamespace: true
+    name: default
+    generateName: false
+  reportFormat: pretty
+  testFile: ".chainsaw-test/chainsaw-test.yaml" 

security/ephemeral-credentials-validator/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,85 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: TestCase
+metadata:
+  name: simple-ttl-validator
+policies:
+  - ../simple-policy.yaml
+resources:
+  - ../test-compliant-secret.yaml
+  - ../test-non-compliant-secret.yaml
+  - ../test-partial-compliance-secret.yaml
+results:
+  - policy: simple-ttl-validator
+    rule: require-ttl-annotation
+    resource: test-secret-with-ttl
+    kind: Secret
+    result: pass
+  - policy: simple-ttl-validator
+    rule: require-ttl-annotation
+    resource: test-secret-no-ttl
+    kind: Secret
+    result: fail
+  - policy: simple-ttl-validator
+    rule: require-ttl-annotation
+    resource: test-secret-invalid-ttl
+    kind: Secret
+    result: pass # It has the annotation, even though the format is invalid
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: simple-ttl-validator
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: require-ttl-annotation
+      match:
+        any:
+        - resources:
+            kinds:
+              - Secret
+      exclude:
+        any:
+        - resources:
+            namespaces:
+              - kube-system
+              - kube-public
+      validate:
+        message: "Secret must have a TTL annotation."
+        pattern:
+          metadata:
+            annotations:
+              "secrets.kubernetes.io/ttl": "?*"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret-with-ttl
+  annotations:
+    secrets.kubernetes.io/ttl: "24h"
+type: Opaque
+data:
+  username: YWRtaW4=  # admin
+  password: cGFzc3dvcmQxMjM=  # password123
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret-no-ttl
+  # No TTL annotation present
+type: Opaque
+data:
+  username: YWRtaW4=  # admin
+  password: cGFzc3dvcmQxMjM=  # password123
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret-invalid-ttl
+  annotations:
+    secrets.kubernetes.io/ttl: "invalid-format"  # Invalid format, should be a duration
+type: Opaque
+data:
+  username: YWRtaW4=  # admin
+  password: cGFzc3dvcmQxMjM=  # password123