From bee6e4d1cb63cb0855f02a619e88ba6753a059a7 Mon Sep 17 00:00:00 2001 From: Darkhood148 Date: Wed, 22 Jan 2025 07:57:59 +0530 Subject: [PATCH 1/2] Adds policy and artifacthub-pkg.yml Signed-off-by: Darkhood148 --- .../artifacthub-pkg.yml | 19 +++++ ...ount-volumes-for-ephemeral-containers.yaml | 75 +++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 other/mount-volumes-for-ephemeral-containers/artifacthub-pkg.yml create mode 100644 other/mount-volumes-for-ephemeral-containers/mount-volumes-for-ephemeral-containers.yaml diff --git a/other/mount-volumes-for-ephemeral-containers/artifacthub-pkg.yml b/other/mount-volumes-for-ephemeral-containers/artifacthub-pkg.yml new file mode 100644 index 000000000..e4def4985 --- /dev/null +++ b/other/mount-volumes-for-ephemeral-containers/artifacthub-pkg.yml @@ -0,0 +1,19 @@ +name: mount-volumes-for-ephemeral-containers +version: 1.0.0 +displayName: Mount volumes for ephemeral containers +createdAt: "2025-01-22T00:00:00.000Z" +description: >- + Mount volumes and set default security context for ephemeral containers +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/mount-volumes-for-ephemeral-containers/mount-volumes-for-ephemeral-containers.yaml +keywords: + - kyverno + - other +readme: | + This Kyverno policy adds a temporary volume to debug Pods, enforces read-only filesystems for ephemeral containers, and mounts the volume at /tmp. +annotations: + kyverno/category: "Sample" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: ff08e4dc69d074870c5cdb4d052967c7c0ef5668 diff --git a/other/mount-volumes-for-ephemeral-containers/mount-volumes-for-ephemeral-containers.yaml b/other/mount-volumes-for-ephemeral-containers/mount-volumes-for-ephemeral-containers.yaml new file mode 100644 index 000000000..14dc5efed --- /dev/null +++ b/other/mount-volumes-for-ephemeral-containers/mount-volumes-for-ephemeral-containers.yaml @@ -0,0 +1,75 @@ +apiVersion : kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mount-volumes-for-ephemeral-containers +spec: + background: false + rules: + - name: add-volume-to-debug-pod + match: + any: + - resources: + kinds: + - Pod + namespaces: + - default + selector: + matchLabels: + ephemeral-debug: "true" + operations: + - CREATE + mutate: + patchStrategicMerge: + spec: + volumes: + - name: ephemeralcontainer-tmp-tcpdump-volume + emptyDir: + sizeLimit: 1G + - name: mutate-ephemeralcontainers-readonlyrootfilesystem + match: + any: + - resources: + kinds: + - Pod + namespaces: + - default + preconditions: + all: + - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}" + operator: GreaterThanOrEquals + value: 1 + mutate: + foreach: + - list: "request.object.spec.ephemeralContainers[]" + patchStrategicMerge: + spec: + ephemeralContainers: + - name: "{{ element.name }}" + +(securityContext): + +(readOnlyRootFilesystem): true + - name: add-volumemount + match: + any: + - resources: + kinds: + - Pod + namespaces: + - default + preconditions: + all: + - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}" + operator: GreaterThanOrEquals + value: 1 + - key: "{{ request.object.spec.ephemeralContainers[].volumeMounts[?name=='ephemeralcontainer-tmp-tcpdump-volume'] | `[]` | length(@) }}" + operator: LessThan + value: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}" + mutate: + foreach: + - list: "request.object.spec.ephemeralContainers" + patchStrategicMerge: + spec: + ephemeralContainers: + - name: "{{ element.name }}" + volumeMounts: + - mountPath: /tmp + name: ephemeralcontainer-tmp-tcpdump-volume From dc2c5f08a057932a919bb4956d6cc6a0502764b5 Mon Sep 17 00:00:00 2001 From: Darkhood148 Date: Thu, 23 Jan 2025 16:25:47 +0530 Subject: [PATCH 2/2] Adds chainsaw tests Signed-off-by: Darkhood148 --- .../.chainsaw-test/chainsaw-test.yaml | 55 +++++++++++++++++++ .../.chainsaw-test/pods.yaml | 12 ++++ .../.chainsaw-test/policy-ready.yaml | 9 +++ 3 files changed, 76 insertions(+) create mode 100644 other/mount-volumes-for-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml create mode 100644 other/mount-volumes-for-ephemeral-containers/.chainsaw-test/pods.yaml create mode 100644 other/mount-volumes-for-ephemeral-containers/.chainsaw-test/policy-ready.yaml diff --git a/other/mount-volumes-for-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml b/other/mount-volumes-for-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..c9ef92731 --- /dev/null +++ b/other/mount-volumes-for-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,55 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: mount-volumes-for-ephemeral-containers +spec: + timeouts: + cleanup: 60s + steps: + - name: step-01 + try: + - apply: + file: ../mount-volumes-for-ephemeral-containers.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods.yaml + - assert: + resource: + apiVersion: v1 + kind: Pod + metadata: + name: pod1 + namespace: default + labels: + ephemeral-debug: "true" + spec: + (volumes[?name == 'ephemeralcontainer-tmp-tcpdump-volume']): + - emptyDir: + sizeLimit: 1G + - name: step-03 + try: + - script: + content: kubectl debug -it pod1 --image=busybox:1.35 --target=busybox --attach=false -c pod1-dbg + - name: step-04 + try: + - assert: + resource: + apiVersion: v1 + kind: Pod + metadata: + name: pod1 + namespace: default + labels: + ephemeral-debug: "true" + spec: + ephemeralContainers: + - name: pod1-dbg + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp + name: ephemeralcontainer-tmp-tcpdump-volume diff --git a/other/mount-volumes-for-ephemeral-containers/.chainsaw-test/pods.yaml b/other/mount-volumes-for-ephemeral-containers/.chainsaw-test/pods.yaml new file mode 100644 index 000000000..a0ef66d44 --- /dev/null +++ b/other/mount-volumes-for-ephemeral-containers/.chainsaw-test/pods.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod1 + namespace: default + labels: + ephemeral-debug: "true" +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sh", "-c", "while true; do sleep 3600; done"] diff --git a/other/mount-volumes-for-ephemeral-containers/.chainsaw-test/policy-ready.yaml b/other/mount-volumes-for-ephemeral-containers/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..13194e535 --- /dev/null +++ b/other/mount-volumes-for-ephemeral-containers/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mount-volumes-for-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready