Skip to content

Commit b8c325f

Browse files
cbandycbandy
committed
Verify security contexts using the Kyverno CLI when available
1 parent 4a42bf4 commit b8c325f

File tree

2 files changed

+48
-0
lines changed

2 files changed

+48
-0
lines changed

testing/kuttl/e2e/security-context/10--kyverno.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
apiVersion: kuttl.dev/v1beta1
3+
kind: TestStep
4+
commands:
5+
- script: |
6+
command -v kustomize || { echo Skipping... ; exit ; }
7+
command -v kyverno || { echo Skipping... ; exit ; }
8+
9+
set -e
10+
kustomize build ../../../../testing/policies/kyverno > policies.yaml
11+
kyverno apply --cluster --namespace "${NAMESPACE}" policies.yaml

testing/policies/kyverno/kustomization.yaml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
4+
bases:
5+
- https://github.com/kyverno/policies/pod-security/restricted
6+
7+
resources:
8+
# CVE-2020-14386: https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2020-012
9+
# CVE-2021-22555: https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2021-015
10+
- https://raw.githubusercontent.com/kyverno/policies/main/best-practices/require_drop_all/require_drop_all.yaml
11+
- https://raw.githubusercontent.com/kyverno/policies/main/best-practices/require_ro_rootfs/require_ro_rootfs.yaml
12+
13+
# CVE-2020-8554: https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2020-015
14+
- https://raw.githubusercontent.com/kyverno/policies/main/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml
15+
16+
patches:
17+
- target:
18+
group: kyverno.io
19+
kind: ClusterPolicy
20+
patch: |-
21+
# Ensure all policies "audit" rather than "enforce".
22+
- { op: replace, path: /spec/validationFailureAction, value: audit }
23+
24+
# Issue: [sc-11286]
25+
# OpenShift 4.10 forbids any/all seccomp profiles. Remove the policy for now.
26+
# - https://github.com/openshift/cluster-kube-apiserver-operator/issues/1325
27+
# - https://github.com/kyverno/policies/tree/main/pod-security/restricted/restrict-seccomp-strict
28+
- target:
29+
group: kyverno.io
30+
kind: ClusterPolicy
31+
name: restrict-seccomp-strict
32+
patch: |-
33+
$patch: delete
34+
apiVersion: kyverno.io/v1
35+
kind: ClusterPolicy
36+
metadata:
37+
name: restrict-seccomp-strict

0 commit comments

Comments
 (0)