PAAS validations (#228)

* PAAS validations * Add 'role=paas' label for PAAS pods * Validate account and role labels are correct for PAAS pods * Validate PAAS account is valid
OSC · Apr 2, 2024 · 5bed15a · 5bed15a
1 parent c268a21
commit 5bed15a
Show file tree

Hide file tree

Showing 14 changed files with 419 additions and 4 deletions.
diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kyverno-policies
 description: OSC Kyverno policies deployment
 type: application
-version: 0.25.0
+version: 0.26.0
 appVersion: "v1.11.4"
 maintainers:
   - name: treydock

diff --git a/charts/kyverno-policies/templates/add-role.yaml b/charts/kyverno-policies/templates/add-role.yaml
@@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-role
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+  - name: paas-add-role
+    match:
+      any:
+        - resources:
+            kinds:
+            - Pod
+            namespaceSelector:
+              matchExpressions:
+              - key: osc.edu/role
+                operator: In
+                values:
+                - paas
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          labels:
+            role: paas
diff --git a/charts/kyverno-policies/templates/pod-account-validation.yaml b/charts/kyverno-policies/templates/pod-account-validation.yaml
@@ -14,6 +14,15 @@ spec:
             - Pod
             namespaces:
             - "user-?*"
+        - resources:
+            kinds:
+            - Pod
+            namespaceSelector:
+              matchExpressions:
+              - key: osc.edu/role
+                operator: In
+                values:
+                - paas
     validate:
       message: "{{`{{ request.object.metadata.namespace }}`}} account {{`{{ request.object.metadata.labels.account }}`}} is not a valid project"
       pattern:
@@ -47,3 +56,41 @@ spec:
         - key: "{{`{{ request.object.metadata.labels.account }}`}}"
           operator: NotIn
           value: "{{`{{ userGroupMap.data.\"{{ request.object.metadata.namespace }}\" }}`}}"
+  - name: paas-user-authorized-for-account
+    match:
+      any:
+        - resources:
+            kinds:
+            - Pod
+            namespaceSelector:
+              matchExpressions:
+              - key: osc.edu/role
+                operator: In
+                values:
+                - paas
+    preconditions:
+    - key: "{{`{{ request.operation }}`}}"
+      operator: In
+      value: ["CREATE","UPDATE"]
+    - key: "{{`{{ request.object.metadata.labels.account || '' }}`}}"
+      operator: NotEquals
+      value: ""
+    - key: "{{`{{ serviceAccount }}`}}"
+      operator: NotEquals
+      value: ""
+    context:
+    - name: serviceAccount
+      apiCall:
+        urlPath: "/api/v1/namespaces/{{`{{ request.namespace }}`}}"
+        jmesPath: "metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" || ''"
+    - name: userGroupMap
+      configMap:
+        name: user-groups-map
+        namespace: k8-ldap-configmap
+    validate:
+      message: "{{`{{ serviceAccount }}`}} not authorized to charge against account {{`{{ request.object.metadata.labels.account }}`}}"
+      deny:
+        conditions:
+        - key: "{{`{{ request.object.metadata.labels.account }}`}}"
+          operator: NotIn
+          value: "{{`{{ userGroupMap.data.\"user-{{ serviceAccount }}\" }}`}}"
diff --git a/charts/kyverno-policies/templates/pod-role-validation.yaml b/charts/kyverno-policies/templates/pod-role-validation.yaml
@@ -0,0 +1,26 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: pod-role-validation
+spec:
+  background: false
+  validationFailureAction: Enforce
+  rules:
+  - name: paas-require-role
+    match:
+      any:
+        - resources:
+            kinds:
+            - Pod
+            namespaceSelector:
+              matchExpressions:
+              - key: osc.edu/role
+                operator: In
+                values:
+                - paas
+    validate:
+      message: "role label must be set to 'paas'"
+      pattern:
+        metadata:
+          labels:
+            role: "paas"
diff --git a/tests/kyverno-policies/add-role/kyverno-test.yaml b/tests/kyverno-policies/add-role/kyverno-test.yaml
@@ -0,0 +1,22 @@
+---
+name: add-role
+policies:
+  - policy.yaml
+resources:
+  - resources.yaml
+variables: variables.yaml
+results:
+  - policy: add-role
+    rule: paas-add-role
+    resources:
+      - test-paas
+    patchedResource: test-paas-mutated.yaml
+    kind: Pod
+    result: pass
+  - policy: add-role
+    rule: paas-add-role
+    resources:
+      - test-skip
+      - test-skip-webservice
+    kind: Pod
+    result: skip
diff --git a/tests/kyverno-policies/add-role/resources.yaml b/tests/kyverno-policies/add-role/resources.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas
+  namespace: paas
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-skip
+  namespace: user-test
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-skip-webservice
+  namespace: webservice
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest
diff --git a/tests/kyverno-policies/add-role/test-paas-mutated.yaml b/tests/kyverno-policies/add-role/test-paas-mutated.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas
+  namespace: paas
+  labels:
+    role: paas
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest
diff --git a/tests/kyverno-policies/add-role/variables.yaml b/tests/kyverno-policies/add-role/variables.yaml
@@ -0,0 +1,18 @@
+policies:
+  - name: add-role
+    rules:
+      - name: paas-add-role
+        values:
+          role: test
+namespaceSelector:
+  - name: user-test
+    labels:
+      foo: bar
+  - name: webservice
+    labels:
+      osc.edu/role: webservice
+  - name: paas
+    labels:
+      osc.edu/role: paas
+      osc.edu/service-account: test
+      account: test
diff --git a/tests/kyverno-policies/pod-account-validation/kyverno-test.yaml b/tests/kyverno-policies/pod-account-validation/kyverno-test.yaml
@@ -6,6 +6,27 @@ resources:
   - resources.yaml
 variables: variables.yaml
 results:
+  - policy: pod-account-validation
+    rule: pods-user-account-prefix
+    resources:
+      - test-pass
+      - test-pass-paas
+    kind: Pod
+    result: pass
+  - policy: pod-account-validation
+    rule: pods-user-account-prefix
+    resources:
+      - test-fail
+      - test-fail-paas
+    kind: Pod
+    result: fail
+  - policy: pod-account-validation
+    rule: pods-user-account-prefix
+    resources:
+      - test-fail-prefix
+      - test-fail-prefix-paas
+    kind: Pod
+    result: fail
   - policy: pod-account-validation
     rule: pods-user-authorized-for-account
     resources:
@@ -28,9 +49,21 @@ results:
     namespace: user-test
     result: fail
   - policy: pod-account-validation
-    rule: pods-user-account-prefix
+    rule: paas-user-authorized-for-account
     resources:
-      - test-fail-prefix
+      - test-paas-skip
+      - test-paas-skip-op
+    kind: Pod
+    result: skip
+  - policy: pod-account-validation
+    rule: paas-user-authorized-for-account
+    resources:
+      - test-paas-pass
+    kind: Pod
+    result: pass
+  - policy: pod-account-validation
+    rule: paas-user-authorized-for-account
+    resources:
+      - test-paas-fail
     kind: Pod
-    namespace: user-test
     result: fail
diff --git a/tests/kyverno-policies/pod-account-validation/resources.yaml b/tests/kyverno-policies/pod-account-validation/resources.yaml
@@ -35,6 +35,18 @@ spec:
 ---
 apiVersion: v1
 kind: Pod
+metadata:
+  name: test-pass-paas
+  namespace: paas
+  labels:
+    account: PZS0001
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
 metadata:
   name: test-fail
   namespace: user-test
@@ -47,6 +59,18 @@ spec:
 ---
 apiVersion: v1
 kind: Pod
+metadata:
+  name: test-fail-paas
+  namespace: paas
+  labels:
+    account: PZS0002
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
 metadata:
   name: test-fail-prefix
   namespace: user-test
@@ -56,3 +80,61 @@ spec:
   containers:
   - name: nginx
     image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-fail-prefix-paas
+  namespace: paas
+  labels:
+    account: oscall
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-skip
+  namespace: user-test
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-skip-op
+  namespace: paas
+  labels:
+    account: test
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-pass
+  namespace: paas
+  labels:
+    account: PZS0001
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-fail
+  namespace: paas
+  labels:
+    account: PZS0002
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12