-
Notifications
You must be signed in to change notification settings - Fork 170
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add new policy for machine config modification (#2879)
* add new policy for machine config modification * reformat yaml * revise api group logic
- Loading branch information
Showing
18 changed files
with
226 additions
and
84 deletions.
There are no files selected for viewing
10 changes: 10 additions & 0 deletions
10
pkg/operator/controllers/guardrails/policies/gkconstraints/aro-machine-config-deny.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: ARODenyMachineConfig | ||
metadata: | ||
name: aro-deny-cluster-machine-config-modification | ||
spec: | ||
enforcementAction: {{.Enforcement}} | ||
match: | ||
kinds: | ||
- apiGroups: ["machineconfiguration.openshift.io"] | ||
kinds: ["MachineConfig"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 0 additions & 13 deletions
13
...operator/controllers/guardrails/policies/gkconstraints/aro-pull-secret-deletion-deny.yaml
This file was deleted.
Oops, something went wrong.
24 changes: 0 additions & 24 deletions
24
...ator/controllers/guardrails/policies/gktemplates-src/aro-deny-delete/aro-deny-delete.tmpl
This file was deleted.
Oops, something went wrong.
8 changes: 0 additions & 8 deletions
8
pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-delete/src.rego
This file was deleted.
Oops, something went wrong.
1 change: 0 additions & 1 deletion
1
pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-delete/src_test.rego
This file was deleted.
Oops, something went wrong.
17 changes: 17 additions & 0 deletions
17
.../guardrails/policies/gktemplates-src/aro-deny-machine-config/aro-deny-machine-config.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: arodenymachineconfig | ||
annotations: | ||
description: >- | ||
Do not allow modification of cluster's machine config objects | ||
machine config regex match: ^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$ | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: ARODenyMachineConfig | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
{{ file.Read "gktemplates-src/aro-deny-machine-config/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} |
14 changes: 14 additions & 0 deletions
14
...ktemplates-src/aro-deny-machine-config/gator-test/allow_create_custom_machine_config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1 | ||
request: | ||
uid: d700ab7f-8f42-45ff-83f5-782c739806d9 | ||
operation: CREATE | ||
userInfo: | ||
username: kube-review | ||
uid: 45884572-1cab-49e5-be4c-1d2eb0299776 | ||
object: | ||
kind: MachineConfig | ||
apiVersion: machineconfiguration.openshift.io/v1 | ||
metadata: | ||
name: new-custom-mc | ||
dryRun: true |
14 changes: 14 additions & 0 deletions
14
...ktemplates-src/aro-deny-machine-config/gator-test/allow_delete_custom_machine_config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1 | ||
request: | ||
uid: d700ab7f-8f42-45ff-83f5-782c739806d9 | ||
operation: DELETE | ||
userInfo: | ||
username: kube-review | ||
uid: 45884572-1cab-49e5-be4c-1d2eb0299776 | ||
oldObject: | ||
kind: MachineConfig | ||
apiVersion: machineconfiguration.openshift.io/v1 | ||
metadata: | ||
name: new-custom-mc | ||
dryRun: true |
14 changes: 14 additions & 0 deletions
14
...lates-src/aro-deny-machine-config/gator-test/not_allow_create_cluster_machine_config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1 | ||
request: | ||
uid: d700ab7f-8f42-45ff-83f5-782c739806d9 | ||
operation: CREATE | ||
userInfo: | ||
username: kube-review | ||
uid: 45884572-1cab-49e5-be4c-1d2eb0299776 | ||
object: | ||
kind: MachineConfig | ||
apiVersion: machineconfiguration.openshift.io/v1 | ||
metadata: | ||
name: 00-master | ||
dryRun: true |
14 changes: 14 additions & 0 deletions
14
...lates-src/aro-deny-machine-config/gator-test/not_allow_delete_cluster_machine_config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1 | ||
request: | ||
uid: d700ab7f-8f42-45ff-83f5-782c739806d9 | ||
operation: DELETE | ||
userInfo: | ||
username: kube-review | ||
uid: 45884572-1cab-49e5-be4c-1d2eb0299776 | ||
oldObject: | ||
kind: MachineConfig | ||
apiVersion: machineconfiguration.openshift.io/v1 | ||
metadata: | ||
name: 99-worker-aro-dns | ||
dryRun: true |
19 changes: 19 additions & 0 deletions
19
...lates-src/aro-deny-machine-config/gator-test/not_allow_update_cluster_machine_config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1 | ||
request: | ||
uid: d700ab7f-8f42-45ff-83f5-782c739806d9 | ||
operation: UPDATE | ||
userInfo: | ||
username: kube-review | ||
uid: 45884572-1cab-49e5-be4c-1d2eb0299776 | ||
object: | ||
kind: MachineConfig | ||
apiVersion: machineconfiguration.openshift.io/v1 | ||
metadata: | ||
name: 99-worker-generated-crio-fake | ||
oldObject: | ||
kind: MachineConfig | ||
apiVersion: machineconfiguration.openshift.io/v1 | ||
metadata: | ||
name: 99-worker-generated-crio-seccomp-use-default | ||
dryRun: true |
9 changes: 9 additions & 0 deletions
9
...operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
package arodenymachineconfig | ||
import future.keywords.in | ||
|
||
violation[{"msg": msg}] { | ||
input.review.operation in ["CREATE", "UPDATE", "DELETE"] | ||
name := input.review.object.metadata.name | ||
regex.match("^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$", name) | ||
msg := "Modify cluster machine config is not allowed" | ||
} |
57 changes: 57 additions & 0 deletions
57
...tor/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
package arodenymachineconfig | ||
|
||
|
||
test_input_not_allowed_with_master_keyword { | ||
input := { | ||
"review": fake_machine_config_input_review("01-master-kubelet", "UPDATE") | ||
} | ||
results := violation with input as input | ||
count(results) == 1 | ||
} | ||
|
||
test_input_not_allowed_with_worker_keyword { | ||
input := { | ||
"review": fake_machine_config_input_review("99-worker-generated-registries", "CREATE") | ||
} | ||
results := violation with input as input | ||
count(results) == 1 | ||
} | ||
|
||
test_input_not_allowed_with_aro_keyword { | ||
input := { | ||
"review": fake_machine_config_input_review("99-worker-aro-dns", "DELETE") | ||
} | ||
results := violation with input as input | ||
count(results) == 1 | ||
|
||
} | ||
|
||
test_input_allowed_with_custom_name { | ||
input := { | ||
"review": fake_machine_config_input_review("new-customer-dns", "CREATE") | ||
} | ||
results := violation with input as input | ||
count(results) == 0 | ||
} | ||
|
||
test_input_allowed_with_read_operation { | ||
input := { | ||
"review": fake_machine_config_input_review("99-worker-generated-registries", "GET") | ||
} | ||
results := violation with input as input | ||
count(results) == 0 | ||
} | ||
|
||
fake_machine_config_input_review(name, operation) = review { | ||
review = { | ||
"operation": operation, | ||
"kind": { | ||
"kind": "MachineConfig" | ||
}, | ||
"object": { | ||
"metadata": { | ||
"name": name | ||
} | ||
} | ||
} | ||
} |
29 changes: 29 additions & 0 deletions
29
...erator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: deny-cluster-machineconfig-modification | ||
tests: | ||
- name: deny-cluster-machineconfig-modification-tests | ||
template: ../../gktemplates/aro-deny-machine-config.yaml | ||
constraint: ../../gkconstraints-test/aro-machine-config-deny.yaml | ||
cases: | ||
- name: not-allow-create-cluster-machine-config | ||
object: gator-test/not_allow_create_cluster_machine_config.yaml | ||
assertions: | ||
- violations: yes | ||
- name: not-allow-delete-cluster-machine-config | ||
object: gator-test/not_allow_delete_cluster_machine_config.yaml | ||
assertions: | ||
- violations: yes | ||
- name: not-allow-update-cluster-machine-config | ||
object: gator-test/not_allow_update_cluster_machine_config.yaml | ||
assertions: | ||
- violations: yes | ||
- name: allow-create-custom-machine-config | ||
object: gator-test/allow_create_custom_machine_config.yaml | ||
assertions: | ||
- violations: no | ||
- name: allow-delete-custom-machine-config | ||
object: gator-test/allow_delete_custom_machine_config.yaml | ||
assertions: | ||
- violations: no |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -40,6 +40,3 @@ request: | |
operator: Exists | ||
effect: NoSchedule | ||
status: {} | ||
options: | ||
kind: CreateOptions | ||
apiVersion: meta.k8s.io/v1 |
31 changes: 0 additions & 31 deletions
31
pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-delete.yaml
This file was deleted.
Oops, something went wrong.
25 changes: 25 additions & 0 deletions
25
pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: arodenymachineconfig | ||
annotations: | ||
description: >- | ||
Do not allow modification of cluster's machine config objects | ||
machine config regex match: ^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$ | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: ARODenyMachineConfig | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
package arodenymachineconfig | ||
import future.keywords.in | ||
violation[{"msg": msg}] { | ||
input.review.operation in ["CREATE", "UPDATE", "DELETE"] | ||
name := input.review.object.metadata.name | ||
regex.match("^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$", name) | ||
msg := "Modify cluster machine config is not allowed" | ||
} |