feat: add miscellaneous policies in CEL expressions - Part 2 (#1004)

* copy enforce-sidecar-injection-namespace

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno tests for enforce-sidecar-injection-namespace

Signed-off-by: Chandan-DK <[email protected]>

* convert enforce-sidecar-injection-namespace

Signed-off-by: Chandan-DK <[email protected]>

* copy enforce-strict-mtls

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno tests for enforce-strict-mtls

Signed-off-by: Chandan-DK <[email protected]>

* convert enforce-strict-mtls

Signed-off-by: Chandan-DK <[email protected]>

* copy enforce-tls-hosts-host-subnets

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno tests for enforce-tls-hosts-host-subnets

Signed-off-by: Chandan-DK <[email protected]>

* convert enforce-tls-hosts-host-subnets

Signed-off-by: Chandan-DK <[email protected]>

* copy prevent-disabling-injection-pods

Signed-off-by: Chandan-DK <[email protected]>

* make corrections in chainsaw resources

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno tests for prevent-disabling-injection-pods

Signed-off-by: Chandan-DK <[email protected]>

* convert prevent-disabling-injection-pods

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-virtual-service-wildcard

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-virtual-service-wildcard

Signed-off-by: Chandan-DK <[email protected]>

* add CI tests for istio-cel

Signed-off-by: Chandan-DK <[email protected]>

* copy require-kubecost-labels

Signed-off-by: Chandan-DK <[email protected]>

* correct chainsaw resource

Signed-off-by: Chandan-DK <[email protected]>

* convert require-kubecost-labels

Signed-off-by: Chandan-DK <[email protected]>

* correct chainsaw resource

Signed-off-by: Chandan-DK <[email protected]>

* copy  enforce-instancetype

Signed-off-by: Chandan-DK <[email protected]>

* convert enforce-instancetype

Signed-off-by: Chandan-DK <[email protected]>

* copy k10-data-protection-by-label

Signed-off-by: Chandan-DK <[email protected]>

* convert k10-data-protection-by-label

Signed-off-by: Chandan-DK <[email protected]>

* copy k10-hourly-rpo

Signed-off-by: Chandan-DK <[email protected]>

* convert k10-hourly-rpo

Signed-off-by: Chandan-DK <[email protected]>

* copy k10-validate-ns-by-preset-label

Signed-off-by: Chandan-DK <[email protected]>

* convert k10-validate-ns-by-preset-label

Signed-off-by: Chandan-DK <[email protected]>

* rename files for clarity

Signed-off-by: Chandan-DK <[email protected]>

* add CI tests for cel directories

Signed-off-by: Chandan-DK <[email protected]>

* remove cel policies due to issue
kyverno/kyverno#10313

Signed-off-by: Chandan-DK <[email protected]>

* add CREATE and UPDATE operations explicitly

Signed-off-by: Chandan-DK <[email protected]>

---------

Signed-off-by: Chandan-DK <[email protected]>
Co-authored-by: Mariam Fahmy <[email protected]>

.github/workflows/test.yml

@@ -44,9 +44,12 @@ jobs:
           - ^flux$
           - ^flux-cel$
           - ^istio$
+          - ^istio-cel$
           - ^karpenter$
           - ^kasten$
+          - ^kasten-cel$
           - ^kubecost$
+          - ^kubecost-cel$
           - ^kubeops$
           - ^kubevirt$
           - ^linkerd$

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,41 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: enforce-sidecar-injection-namespace
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../enforce-sidecar-injection-namespace.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: enforce-sidecar-injection-namespace
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ns-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-disabled.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-nolabel.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-somelabel.yaml

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio-injection: disabled
+  name: bad-istio-sinj01

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bad-istio-sinj03

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: enabled
+  name: bad-istio-sinj02

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-good.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio-injection: enabled
+  name: good-istio-sinj01
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: disabled
+    istio-injection: enabled
+    bar: enabled
+  name: good-istio-sinj02

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-sidecar-injection-namespace
+status:
+  ready: true

istio-cel/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: enforce-sidecar-injection-namespace
+policies:
+- ../enforce-sidecar-injection-namespace.yaml
+resources:
+- ../.chainsaw-test/ns-bad-disabled.yaml
+- ../.chainsaw-test/ns-bad-nolabel.yaml
+- ../.chainsaw-test/ns-bad-somelabel.yaml
+- ../.chainsaw-test/ns-good.yaml
+results:
+- policy: enforce-sidecar-injection-namespace
+  rule: check-istio-injection-enabled
+  kind: Namespace
+  resources:
+  - bad-istio-sinj01
+  - bad-istio-sinj02
+  - bad-istio-sinj03
+  result: fail
+- policy: enforce-sidecar-injection-namespace
+  rule: check-istio-injection-enabled
+  kind: Namespace
+  resources:
+  - good-istio-sinj01
+  - good-istio-sinj02
+  result: pass
+

istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml

@@ -0,0 +1,24 @@
+name: enforce-sidecar-injection-namespace-cel
+version: 1.0.0
+displayName: Enforce Istio Sidecar Injection in CEL expressions
+description: >-
+  In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml
+  ```
+keywords:
+  - kyverno
+  - Istio
+  - CEL Expressions
+readme: |
+  In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Istio in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Namespace"
+digest: 123feb2a8d1b2743e33b1f91ddf7291c47eedcf2c24ae537a1d3afe6c503338d
+createdAt: "2024-05-12T04:38:32Z"
+

istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml

@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-sidecar-injection-namespace
+  annotations:
+    policies.kyverno.io/title: Enforce Istio Sidecar Injection in CEL expressions
+    policies.kyverno.io/category: Istio in CEL 
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/description: >-
+      In order for Istio to inject sidecars to workloads deployed into Namespaces, the label
+      `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces
+      set `istio-inject` to `enabled`.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: check-istio-injection-enabled
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          operations:
+          - CREATE
+    validate:
+      cel:
+        expressions:
+          - expression: "has(object.metadata.labels) && 'istio-injection' in object.metadata.labels && object.metadata.labels['istio-injection'] == 'enabled'"
+            message: "All new Namespaces must have Istio sidecar injection enabled."
+

istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,33 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: enforce-strict-mtls
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../enforce-strict-mtls.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: enforce-strict-mtls
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+    - assert:
+        file: crd-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pa-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pa-bad.yaml

istio-cel/enforce-strict-mtls/.chainsaw-test/crd-assert.yaml

@@ -0,0 +1,13 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: peerauthentications.security.istio.io
+spec: {}
+status:
+  acceptedNames:
+    kind: PeerAuthentication
+    listKind: PeerAuthenticationList
+    plural: peerauthentications
+    singular: peerauthentication
+  storedVersions:
+  - v1beta1

istio-cel/enforce-strict-mtls/.chainsaw-test/pa-bad.yaml

@@ -0,0 +1,26 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: pa-bad01
+spec:
+  mtls:
+    mode: PERMISSIVE
+---
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: pa-bad02
+spec:
+  mtls:
+    mode: DISABLE
+---
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: pa-bad03
+spec:
+  selector:
+    matchLabels:
+      app: finance
+  mtls:
+    mode: DISABLE

istio-cel/enforce-strict-mtls/.chainsaw-test/pa-good.yaml

@@ -0,0 +1,39 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: good-pa01
+spec:
+  mtls:
+    mode: STRICT
+---
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: good-pa02
+spec:
+  mtls:
+    mode: UNSET
+---
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: good-pa03
+spec: {}
+---
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: good-pa04
+spec:
+  selector:
+    matchLabels:
+      app: finance
+  mtls:
+    mode: STRICT
+---
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: good-pa05
+spec:
+  mtls: {}

istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-strict-mtls
+status:
+  ready: true

istio-cel/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: enforce-strict-mtls
+policies:
+- ../enforce-strict-mtls.yaml
+resources:
+- ../.chainsaw-test/pa-bad.yaml
+- ../.chainsaw-test/pa-good.yaml
+results:
+- policy: enforce-strict-mtls
+  rule: validate-mtls
+  kind: PeerAuthentication
+  resources:
+  - pa-bad01
+  - pa-bad02
+  - pa-bad03
+  result: fail
+- policy: enforce-strict-mtls
+  rule: validate-mtls
+  kind: PeerAuthentication
+  resources:
+  - good-pa01
+  - good-pa02
+  - good-pa03
+  - good-pa04
+  - good-pa05
+  result: pass
+

istio-cel/enforce-strict-mtls/artifacthub-pkg.yml

@@ -0,0 +1,24 @@
+name: enforce-strict-mtls-cel
+version: 1.0.0
+displayName: Enforce Istio Strict mTLS in CEL expressions
+description: >-
+  Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml
+  ```
+keywords:
+  - kyverno
+  - Istio
+  - CEL Expressions
+readme: |
+  Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Istio in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "PeerAuthentication"
+digest: 6bf5af52d9187ac5b1b90879ab3975ea618b38d04928ceecd4779fc2b2e4b26a
+createdAt: "2024-05-12T04:41:47Z"
+