Skip to content

Commit 1fd139b

Browse files
authored
Add more tests for policy to block access to signing server (#169)
* Test to make sure firewall is created for namespaces pre-dating the policy creation. * Test to make sure firewall gets re-created when deleted. * test to make sure firewall is restored on modification. Also fix typo and indentation. KFLUXINFRA-2676 Signed-off-by: Hugo Arès <hares@redhat.com>
1 parent 2604244 commit 1fd139b

1 file changed

Lines changed: 232 additions & 11 deletions

File tree

  • components/policies/internal-staging/block-signing-server-access/.chainsaw-test

components/policies/internal-staging/block-signing-server-access/.chainsaw-test/chainsaw-test.yaml

Lines changed: 232 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,12 @@
22
apiVersion: chainsaw.kyverno.io/v1alpha1
33
kind: Test
44
metadata:
5-
name: egressfirewall-created-in-all-ns-but-one
5+
name: egressfirewall-created-in-all-new-ns-but-one
66
spec:
77
concurrent: false
88
description: |
99
Tests that the ClusterPolicy for generating EgressFirewall is
10-
is creating the EgressFirewall in all namespace expect in internal-services.
10+
is creating the EgressFirewall in all new namespaces except in internal-services.
1111
steps:
1212
- name: setup-crd
1313
try:
@@ -42,6 +42,11 @@ spec:
4242
metadata:
4343
name: default
4444
namespace: test-ns
45+
spec:
46+
egress:
47+
- to:
48+
dnsName: signserver.devel.redhat.com
49+
type: Deny
4550
- name: create-internal-services-namespace
4651
try:
4752
- apply:
@@ -52,12 +57,228 @@ spec:
5257
name: internal-services
5358
- name: verify-no-egress-firewall-in-internal-services
5459
try:
55-
- delete:
56-
ref:
57-
apiVersion: k8s.ovn.org/v1
58-
kind: EgressFirewall
59-
namespace: internal-services
60-
name: default
61-
expect:
62-
- check:
63-
($error != null): true
60+
- delete:
61+
ref:
62+
apiVersion: k8s.ovn.org/v1
63+
kind: EgressFirewall
64+
namespace: internal-services
65+
name: default
66+
expect:
67+
- check:
68+
($error != null): true
69+
---
70+
apiVersion: chainsaw.kyverno.io/v1alpha1
71+
kind: Test
72+
metadata:
73+
name: egressfirewall-created-in-all-existing-ns-but-one
74+
spec:
75+
concurrent: false
76+
description: |
77+
Tests that the ClusterPolicy for generating EgressFirewall is
78+
is creating the EgressFirewall in all existing namespaces except in internal-services.
79+
steps:
80+
- name: setup-crd
81+
try:
82+
- apply:
83+
file: resources/mock-egressfirewall-crd.yaml
84+
- assert:
85+
file: resources/mock-egressfirewall-crd.yaml
86+
- name: setup-permissions
87+
try:
88+
- apply:
89+
file: ../kyverno_rbac.yaml
90+
- name: create-test-namespace
91+
try:
92+
- apply:
93+
resource:
94+
apiVersion: v1
95+
kind: Namespace
96+
metadata:
97+
name: test-ns
98+
- name: create-internal-services-namespace
99+
try:
100+
- apply:
101+
resource:
102+
apiVersion: v1
103+
kind: Namespace
104+
metadata:
105+
name: internal-services
106+
- name: Apply Kyverno ClusterPolicy and assert it exists
107+
try:
108+
- apply:
109+
file: ../block-signing-server-access.yaml
110+
- assert:
111+
file: chainsaw-assert-clusterpolicy.yaml
112+
- name: verify-egress-firewall-created
113+
try:
114+
- assert:
115+
resource:
116+
apiVersion: k8s.ovn.org/v1
117+
kind: EgressFirewall
118+
metadata:
119+
name: default
120+
namespace: test-ns
121+
spec:
122+
egress:
123+
- to:
124+
dnsName: signserver.devel.redhat.com
125+
type: Deny
126+
- name: verify-no-egress-firewall-in-internal-services
127+
try:
128+
- delete:
129+
ref:
130+
apiVersion: k8s.ovn.org/v1
131+
kind: EgressFirewall
132+
namespace: internal-services
133+
name: default
134+
expect:
135+
- check:
136+
($error != null): true
137+
---
138+
apiVersion: chainsaw.kyverno.io/v1alpha1
139+
kind: Test
140+
metadata:
141+
name: egressfirewall-recreated-if-deleted
142+
spec:
143+
concurrent: false
144+
description: |
145+
Tests that the ClusterPolicy for generating EgressFirewall is
146+
is recreating the EgressFirewall if deleted
147+
steps:
148+
- name: setup-crd
149+
try:
150+
- apply:
151+
file: resources/mock-egressfirewall-crd.yaml
152+
- assert:
153+
file: resources/mock-egressfirewall-crd.yaml
154+
- name: setup-permissions
155+
try:
156+
- apply:
157+
file: ../kyverno_rbac.yaml
158+
- name: Apply Kyverno ClusterPolicy and assert it exists
159+
try:
160+
- apply:
161+
file: ../block-signing-server-access.yaml
162+
- assert:
163+
file: chainsaw-assert-clusterpolicy.yaml
164+
- name: create-test-namespace
165+
try:
166+
- apply:
167+
resource:
168+
apiVersion: v1
169+
kind: Namespace
170+
metadata:
171+
name: test-ns
172+
- name: verify-egress-firewall-created
173+
try:
174+
- assert:
175+
resource:
176+
apiVersion: k8s.ovn.org/v1
177+
kind: EgressFirewall
178+
metadata:
179+
name: default
180+
namespace: test-ns
181+
spec:
182+
egress:
183+
- to:
184+
dnsName: signserver.devel.redhat.com
185+
type: Deny
186+
- name: delete-egress-firewall
187+
try:
188+
- delete:
189+
ref:
190+
apiVersion: k8s.ovn.org/v1
191+
kind: EgressFirewall
192+
namespace: test-ns
193+
name: default
194+
- name: verify-egress-firewall-recreated
195+
try:
196+
- assert:
197+
resource:
198+
apiVersion: k8s.ovn.org/v1
199+
kind: EgressFirewall
200+
metadata:
201+
name: default
202+
namespace: test-ns
203+
spec:
204+
egress:
205+
- to:
206+
dnsName: signserver.devel.redhat.com
207+
type: Deny
208+
---
209+
apiVersion: chainsaw.kyverno.io/v1alpha1
210+
kind: Test
211+
metadata:
212+
name: egressfirewall-restored-if-modified
213+
spec:
214+
concurrent: false
215+
description: |
216+
Tests that the ClusterPolicy for generating EgressFirewall
217+
restores the EgressFirewall if it is modified.
218+
steps:
219+
- name: setup-crd
220+
try:
221+
- apply:
222+
file: resources/mock-egressfirewall-crd.yaml
223+
- assert:
224+
file: resources/mock-egressfirewall-crd.yaml
225+
- name: setup-permissions
226+
try:
227+
- apply:
228+
file: ../kyverno_rbac.yaml
229+
- name: Apply Kyverno ClusterPolicy and assert it exists
230+
try:
231+
- apply:
232+
file: ../block-signing-server-access.yaml
233+
- assert:
234+
file: chainsaw-assert-clusterpolicy.yaml
235+
- name: create-test-namespace
236+
try:
237+
- apply:
238+
resource:
239+
apiVersion: v1
240+
kind: Namespace
241+
metadata:
242+
name: test-ns
243+
- name: verify-egress-firewall-created
244+
try:
245+
- assert:
246+
resource:
247+
apiVersion: k8s.ovn.org/v1
248+
kind: EgressFirewall
249+
metadata:
250+
name: default
251+
namespace: test-ns
252+
spec:
253+
egress:
254+
- to:
255+
dnsName: signserver.devel.redhat.com
256+
type: Deny
257+
- name: modify-egress-firewall
258+
try:
259+
- apply:
260+
resource:
261+
apiVersion: k8s.ovn.org/v1
262+
kind: EgressFirewall
263+
metadata:
264+
name: default
265+
namespace: test-ns
266+
spec:
267+
egress:
268+
- to:
269+
dnsName: malicious.example.com
270+
type: Allow
271+
- name: verify-egress-firewall-restored
272+
try:
273+
- assert:
274+
resource:
275+
apiVersion: k8s.ovn.org/v1
276+
kind: EgressFirewall
277+
metadata:
278+
name: default
279+
namespace: test-ns
280+
spec:
281+
egress:
282+
- to:
283+
dnsName: signserver.devel.redhat.com
284+
type: Deny

0 commit comments

Comments
 (0)