feat: add pass/fail yamls for nsa rules (#532)

* docs: add pass/fail yamls for nsa rules

feat: add pass/fail yamls for nsa rules (#532)
* docs: add pass/fail yamls for nsa rules
88820031 · hadar-co · GitHub · 35a08d80 · 88820031 · 88820031
Unverified Commit 88820031 authored 3 years ago by hadar-co Committed by GitHub 3 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 394 additions and 1 deletion
+394 -1
--- a/pkg/policy/nsaHardeningRules.yaml
+++ b/pkg/policy/nsaHardeningRules.yaml
@@ -298,7 +298,7 @@
                      const: true
                  required:
                    - runAsNonRoot
-    anyOf:
+    allOf:
      - $ref: "#/definitions/containerSecurityPattern"
      - $ref: "#/definitions/podSecurityContextPattern"
    additionalProperties:

--- a/pkg/policy/nsaHardeningRules/tests/45-fail.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/45-fail.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-depl
+  namespace: exmpl
+  labels:
+    environment: prod
+    app: web
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      namespace: exmpl
+      labels:
+        app: web
+    spec:
+      containers:
+        - name: front-end
+          image: nginx:latest
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: "64m"
+            limits:
+              cpu: "500m"
+          ports:
+            - containerPort: 80
+        - name: rss-reader
+          image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              httpHeaders:
+              - name: Custom-Header
+                value: Awesome
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: "64m"
+              memory: "128Mi"
+            limits:
+              memory: "128Mi"
+              cpu: "500m"
+          ports:
+            - containerPort: 88
--- a/pkg/policy/nsaHardeningRules/tests/45-pass.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/45-pass.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-depl
+  namespace: exmpl
+  labels:
+    environment: prod
+    app: web
+    on-call: yoda-at-datree.io
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      namespace: exmpl
+      labels:
+        app: web
+    spec:
+      restartPolicy: Always
+      containers:
+        - name: front-end
+          image: nginx@sha256:0a564e80a3156f2cc825d1720f303d59bd521da19bcbd01316870e1313ecbd23
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsUser: 810
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "64m"
+            limits:
+              cpu: "500m"
+          ports:
+            - containerPort: 80
+        - name: rss-reader
+          image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+          securityContext:
+            readOnlyRootFilesystem: true
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              httpHeaders:
+                - name: Custom-Header
+                  value: Awesome
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: "64m"
+              memory: "128Mi"
+            limits:
+              memory: "128Mi"
+              cpu: "500m"
+          ports:
+            - containerPort: 88
--- a/pkg/policy/nsaHardeningRules/tests/46-fail.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/46-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pd
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /test-pd
+      name: test-volume
+  volumes:
+  - name: test-volume
+    hostPath:
+      path: /data
+      type: Directory
--- a/pkg/policy/nsaHardeningRules/tests/46-pass.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/46-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pd
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /test-pd
+      name: test-volume
+  volumes:
+  - name: test-volume
--- a/pkg/policy/nsaHardeningRules/tests/47-fail.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/47-fail.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  replicas: 1
+  template:
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:latest
--- a/pkg/policy/nsaHardeningRules/tests/47-pass.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/47-pass.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:latest
+          securityContext:
+            allowPrivilegeEscalation: false
--- a/pkg/policy/nsaHardeningRules/tests/48-fail.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/48-fail.yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: default
+  name: pod-exec
+rules:
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: [""]
--- a/pkg/policy/nsaHardeningRules/tests/48-pass.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/48-pass.yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: default
+  name: pod-exec
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: [""]
--- a/pkg/policy/nsaHardeningRules/tests/49-fail.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/49-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: security-context-demo-4
+spec:
+  containers:
+  - name: sec-ctx-4
+    image: gcr.io/google-samples/node-hello:1.0
+    securityContext:
+      capabilities:
+        add: ["NET_ADMIN", "SYS_TIME"]
--- a/pkg/policy/nsaHardeningRules/tests/49-pass.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/49-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: security-context-demo-4
+spec:
+  containers:
+  - name: sec-ctx-4
+    image: gcr.io/google-samples/node-hello:1.0
+    securityContext:
+      capabilities:
+        add: ["SYS_TIME"]
--- a/pkg/policy/nsaHardeningRules/tests/50-fail.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/50-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myPod
+spec:
+  containers:
+  - name: container
+    image: node
+    ports:
+    - containerPort: 80
+      hostPort: 8080
--- a/pkg/policy/nsaHardeningRules/tests/50-pass.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/50-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myPod
+spec:
+  containers:
+  - name: container
+    image: node
+    ports:
+    - containerPort: 80
--- a/pkg/policy/nsaHardeningRules/tests/51-fail.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/51-fail.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myPod
+spec:
+  securityContext:
+    runAsUser: 2000
+    runAsGroup: 200
+  containers:
+  - name: myContainer
+    image: node
--- a/pkg/policy/nsaHardeningRules/tests/51-pass.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/51-pass.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myPod
+spec:
+  securityContext:
+    runAsUser: 2000
+    runAsGroup: 2000
+  containers:
+  - name: myContainer
+    image: node
--- a/pkg/policy/nsaHardeningRules/tests/52-fail.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/52-fail.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-depl
+  namespace: exmpl
+  labels:
+    environment: prod
+    app: web
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      namespace: exmpl
+      labels:
+        app: web
+    spec:
+      containers:
+        - name: front-end
+          image: nginx:latest
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: "64m"
+            limits:
+              cpu: "500m"
+          ports:
+            - containerPort: 80
+        - name: rss-reader
+          image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+          securityContext:
+           runAsNonRoot: true
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              httpHeaders:
+                - name: Custom-Header
+                  value: Awesome
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: "64m"
+              memory: "128Mi"
+            limits:
+              memory: "128Mi"
+              cpu: "500m"
+          ports:
+            - containerPort: 88
--- a/pkg/policy/nsaHardeningRules/tests/52-pass.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/52-pass.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-depl
+  namespace: exmpl
+  labels:
+    environment: prod
+    app: web
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      namespace: exmpl
+      labels:
+        app: web
+    spec:
+      containers:
+        - name: front-end
+          image: nginx:latest
+          securityContext:
+           runAsNonRoot: true
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: "64m"
+            limits:
+              cpu: "500m"
+          ports:
+            - containerPort: 80
+        - name: rss-reader
+          image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+          securityContext:
+           runAsNonRoot: true
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              httpHeaders:
+                - name: Custom-Header
+                  value: Awesome
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: "64m"
+              memory: "128Mi"
+            limits:
+              memory: "128Mi"
+              cpu: "500m"
+          ports:
+            - containerPort: 88
--- a/pkg/policy/nsaHardeningRules/tests/53-fail.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/53-fail.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: srvAcc
--- a/pkg/policy/nsaHardeningRules/tests/53-pass.yaml
+++ b/pkg/policy/nsaHardeningRules/tests/53-pass.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: srvAcc
+automountServiceAccountToken: false