add new policy for machine config modification (#2879)

* add new policy for machine config modification
* reformat yaml
* revise api group logic

pkg/operator/controllers/guardrails/policies/gkconstraints/aro-machine-config-deny.yaml

@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: ARODenyMachineConfig
+metadata:
+  name: aro-deny-cluster-machine-config-modification
+spec:
+  enforcementAction: {{.Enforcement}}
+  match:
+    kinds:
+      - apiGroups: ["machineconfiguration.openshift.io"]
+        kinds: ["MachineConfig"]

pkg/operator/controllers/guardrails/policies/gkconstraints/aro-priv-ns-operations.yaml

@@ -18,12 +18,12 @@ spec:
         "PersistentVolumeClaim"
         ]
       - apiGroups: ["apps"]
-        kinds: ["Deployment","ReplicaSet", "StatefulSet", "DaemonSet"]
+        kinds: ["Deployment", "ReplicaSet", "StatefulSet", "DaemonSet"]
       - groups: ["batch"]
-        kinds: ["Job","CronJob"]
+        kinds: ["Job", "CronJob"]
       - groups: ["rbac.authorization.k8s.io"]
-        kinds: ["Role","RoleBinding","ClusterRole","ClusterRoleBinding"]
+        kinds: ["Role", "RoleBinding", "ClusterRole", "ClusterRoleBinding"]
       - groups: ["policy"]
-        kinds: ["PodSecurityPolicy","PodDisruptionBudget"]
+        kinds: ["PodSecurityPolicy", "PodDisruptionBudget"]
       - groups: ["apiextensions"]
         kinds: ["CustomResourceDefinition"]

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/aro-deny-machine-config.tmpl

@@ -0,0 +1,17 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: arodenymachineconfig
+  annotations:
+    description: >-
+      Do not allow modification of cluster's machine config objects
+      machine config regex match: ^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$
+spec:
+  crd:
+    spec:
+      names:
+        kind: ARODenyMachineConfig
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+{{ file.Read "gktemplates-src/aro-deny-machine-config/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/gator-test/allow_create_custom_machine_config.yaml

@@ -0,0 +1,14 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1
+request:
+  uid: d700ab7f-8f42-45ff-83f5-782c739806d9
+  operation: CREATE
+  userInfo:
+    username: kube-review
+    uid: 45884572-1cab-49e5-be4c-1d2eb0299776
+  object:
+    kind: MachineConfig
+    apiVersion: machineconfiguration.openshift.io/v1
+    metadata:
+      name: new-custom-mc
+  dryRun: true

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/gator-test/allow_delete_custom_machine_config.yaml

@@ -0,0 +1,14 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1
+request:
+  uid: d700ab7f-8f42-45ff-83f5-782c739806d9
+  operation: DELETE
+  userInfo:
+    username: kube-review
+    uid: 45884572-1cab-49e5-be4c-1d2eb0299776
+  oldObject:
+    kind: MachineConfig
+    apiVersion: machineconfiguration.openshift.io/v1
+    metadata:
+      name: new-custom-mc
+  dryRun: true

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/gator-test/not_allow_create_cluster_machine_config.yaml

@@ -0,0 +1,14 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1
+request:
+  uid: d700ab7f-8f42-45ff-83f5-782c739806d9
+  operation: CREATE
+  userInfo:
+    username: kube-review
+    uid: 45884572-1cab-49e5-be4c-1d2eb0299776
+  object:
+    kind: MachineConfig
+    apiVersion: machineconfiguration.openshift.io/v1
+    metadata:
+      name: 00-master
+  dryRun: true

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/gator-test/not_allow_delete_cluster_machine_config.yaml

@@ -0,0 +1,14 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1
+request:
+  uid: d700ab7f-8f42-45ff-83f5-782c739806d9
+  operation: DELETE
+  userInfo:
+    username: kube-review
+    uid: 45884572-1cab-49e5-be4c-1d2eb0299776
+  oldObject:
+    kind: MachineConfig
+    apiVersion: machineconfiguration.openshift.io/v1
+    metadata:
+      name: 99-worker-aro-dns
+  dryRun: true

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/gator-test/not_allow_update_cluster_machine_config.yaml

@@ -0,0 +1,19 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1
+request:
+  uid: d700ab7f-8f42-45ff-83f5-782c739806d9
+  operation: UPDATE
+  userInfo:
+    username: kube-review
+    uid: 45884572-1cab-49e5-be4c-1d2eb0299776
+  object:
+    kind: MachineConfig
+    apiVersion: machineconfiguration.openshift.io/v1
+    metadata:
+      name: 99-worker-generated-crio-fake
+  oldObject:
+    kind: MachineConfig
+    apiVersion: machineconfiguration.openshift.io/v1
+    metadata:
+      name: 99-worker-generated-crio-seccomp-use-default
+  dryRun: true

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src.rego

@@ -0,0 +1,9 @@
+package arodenymachineconfig
+import future.keywords.in
+
+violation[{"msg": msg}] {
+    input.review.operation in ["CREATE", "UPDATE", "DELETE"]
+    name := input.review.object.metadata.name
+    regex.match("^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$", name)
+    msg := "Modify cluster machine config is not allowed"
+}

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src_test.rego

@@ -0,0 +1,57 @@
+package arodenymachineconfig
+
+
+test_input_not_allowed_with_master_keyword {
+    input := { 
+        "review": fake_machine_config_input_review("01-master-kubelet", "UPDATE")
+    }
+    results := violation with input as input
+    count(results) == 1
+}
+
+test_input_not_allowed_with_worker_keyword {
+    input := { 
+        "review": fake_machine_config_input_review("99-worker-generated-registries", "CREATE")
+    }
+    results := violation with input as input
+    count(results) == 1
+}
+
+test_input_not_allowed_with_aro_keyword {
+    input := { 
+        "review": fake_machine_config_input_review("99-worker-aro-dns", "DELETE")
+    }
+    results := violation with input as input
+    count(results) == 1
+
+}
+
+test_input_allowed_with_custom_name {
+    input := { 
+        "review": fake_machine_config_input_review("new-customer-dns", "CREATE")
+    }
+    results := violation with input as input
+    count(results) == 0
+}
+
+test_input_allowed_with_read_operation {
+    input := { 
+        "review": fake_machine_config_input_review("99-worker-generated-registries", "GET")
+    }
+    results := violation with input as input
+    count(results) == 0
+}
+
+fake_machine_config_input_review(name, operation) = review {
+    review = {
+        "operation": operation,
+        "kind": {
+            "kind": "MachineConfig"
+        },
+        "object": {
+            "metadata": {
+                "name": name
+            }
+        }
+    }
+}

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/suite.yaml

@@ -0,0 +1,29 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: deny-cluster-machineconfig-modification
+tests:
+- name: deny-cluster-machineconfig-modification-tests
+  template: ../../gktemplates/aro-deny-machine-config.yaml
+  constraint: ../../gkconstraints-test/aro-machine-config-deny.yaml
+  cases:
+  - name: not-allow-create-cluster-machine-config
+    object: gator-test/not_allow_create_cluster_machine_config.yaml
+    assertions:
+    - violations: yes
+  - name: not-allow-delete-cluster-machine-config
+    object: gator-test/not_allow_delete_cluster_machine_config.yaml
+    assertions:
+    - violations: yes
+  - name: not-allow-update-cluster-machine-config
+    object: gator-test/not_allow_update_cluster_machine_config.yaml
+    assertions:
+    - violations: yes
+  - name: allow-create-custom-machine-config
+    object: gator-test/allow_create_custom_machine_config.yaml
+    assertions:
+    - violations: no
+  - name: allow-delete-custom-machine-config
+    object: gator-test/allow_delete_custom_machine_config.yaml
+    assertions:
+    - violations: no

pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/gator-test/allowed_delete_pod_in_non_privileged_ns.yaml

@@ -40,6 +40,3 @@ request:
         operator: Exists
         effect: NoSchedule
     status: {}
-  options:
-    kind: CreateOptions
-    apiVersion: meta.k8s.io/v1

pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml

@@ -0,0 +1,25 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: arodenymachineconfig
+  annotations:
+    description: >-
+      Do not allow modification of cluster's machine config objects
+      machine config regex match: ^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$
+spec:
+  crd:
+    spec:
+      names:
+        kind: ARODenyMachineConfig
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package arodenymachineconfig
+        import future.keywords.in
+
+        violation[{"msg": msg}] {
+            input.review.operation in ["CREATE", "UPDATE", "DELETE"]
+            name := input.review.object.metadata.name
+            regex.match("^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$", name)
+            msg := "Modify cluster machine config is not allowed"
+        }