open-policy-agent
gator test - mutations
Describe the solution you'd like gator test when run with mutating policies (Assign etc) should output the mutated resources, to then be able to then test them against validation policies. otherwise it is hard to test manifests in code repositories against the validation policies. you can only test the mutated manifests from the clusters!
Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]
Environment:
- Gatekeeper version: 3.12
- Kubernetes version: (use
kubectl version): NA
may be gator expand is the command to use for this, but no luck
[ptolani@Pankajs-MacBook-Pro-Work test ]$ gator expand --filename mutation-policies/ --filename test1/ --format yaml --outputfile results.yaml
Writing output to file: results.yaml
[ptolani@Pankajs-MacBook-Pro-Work test ]$ cat results.yaml
(empty)
[ptolani@Pankajs-MacBook-Pro-Work test ]$ cat mutation-policies/mutations-restricted.yaml
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: k8spspdefaultallowprivilegeescalation
spec:
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaceSelector:
matchExpressions:
- key: profile
operator: In
values:
- restricted-2023
scope: Namespaced
location: "spec.containers[name:*].securityContext.allowPrivilegeEscalation"
parameters:
pathTests:
- subPath: "spec.containers[name:*].securityContext.allowPrivilegeEscalation"
condition: MustNotExist
assign:
value: false
---
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: k8spspdefaultallowprivilegeescalation-init
spec:
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaceSelector:
matchExpressions:
- key: profile
operator: In
values:
- restricted-2023
location: "spec.initContainers[name:*].securityContext.allowPrivilegeEscalation"
parameters:
pathTests:
- subPath: "spec.initContainers[name:*].securityContext.allowPrivilegeEscalation"
condition: MustNotExist
assign:
value: false
---
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: k8spspdefaultallowprivilegeescalation-ephemeral
spec:
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaceSelector:
matchExpressions:
- key: profile
operator: In
values:
- restricted-2023
location: "spec.ephemeralContainers[name:*].securityContext.allowPrivilegeEscalation"
parameters:
pathTests:
- subPath: "spec.ephemeralContainers[name:*].securityContext.allowPrivilegeEscalation"
condition: MustNotExist
assign:
value: false
---
---
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: AssignMetadata
metadata:
name: k8spspseccomp
spec:
match:
scope: Namespaced
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaceSelector:
matchExpressions:
- key: profile
operator: In
values:
- restricted-2023
location: metadata.annotations."seccomp.security.alpha.kubernetes.io/pod"
parameters:
assign:
value: runtime/default
---
---
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: k8spspsupplementalgroups
spec:
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
scope: Namespaced
kinds:
- apiGroups: [ "" ]
kinds: [ "Pod" ]
namespaceSelector:
matchExpressions:
- key: profile
operator: In
values:
- restricted-2023
location: "spec.securityContext.supplementalGroups"
parameters:
pathTests:
- subPath: "spec.securityContext.supplementalGroups"
condition: MustNotExist
assign:
value: [1]
---
---
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: k8spspcapabilities
spec:
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
scope: Namespaced
kinds:
- apiGroups: [ "" ]
kinds: [ "Pod" ]
namespaceSelector:
matchExpressions:
- key: profile
operator: In
values:
- restricted-2023
location: "spec.containers[name:*].securityContext.capabilities.drop"
parameters:
assign:
value: ["ALL"] # default add capability
---
---
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: k8spspfsgroup
spec:
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
scope: Namespaced
kinds:
- apiGroups: [ "" ]
kinds: [ "Pod" ]
namespaceSelector:
matchExpressions:
- key: profile
operator: In
values:
- restricted-2023
location: "spec.securityContext.fsGroup"
parameters:
pathTests:
- subPath: "spec.securityContext.fsGroup"
condition: MustNotExist
assign:
value: 1
---
---
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: k8spsprunasnonroot
spec:
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
scope: Namespaced
kinds:
- apiGroups: [ "" ]
kinds: [ "Pod" ]
namespaceSelector:
matchExpressions:
- key: profile
operator: In
values:
- restricted-2023
location: "spec.containers[name:*].securityContext.runAsNonRoot"
parameters:
pathTests:
- subPath: "spec.containers[name:*].securityContext.runAsNonRoot"
condition: MustNotExist
assign:
value: true
---
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: k8spsprunasnonroot-init
spec:
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
scope: Namespaced
kinds:
- apiGroups: [ "" ]
kinds: [ "Pod" ]
namespaceSelector:
matchExpressions:
- key: profile
operator: In
values:
- restricted-2023
location: "spec.initContainers[name:*].securityContext.runAsNonRoot"
parameters:
pathTests:
- subPath: "spec.initContainers[name:*].securityContext.runAsNonRoot"
condition: MustNotExist
assign:
value: true
---
---
[ptolani@Pankajs-MacBook-Pro-Work test ]$ cat test1/pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod
namespace: perftest-restricted-1
labels:
app: nginx
spec:
containers:
- image: myimage
name: nginx
command:
- sleep
- 'infinity'
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
securityContext:
fsGroup: 1
supplementalGroups:
- 1
restartPolicy: Always
---
apiVersion: v1
kind: Namespace
metadata:
labels:
profile: restricted-2023
name: perftest-restricted-1
[ptolani@Pankajs-MacBook-Pro-Work test ]$ cat test1/bad-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: perftest-restricted-2
labels:
app: nginx
spec:
containers:
- image: myimage
name: nginx
command:
- sleep
- 'infinity'
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
securityContext:
fsGroup: 1
supplementalGroups:
- 1
restartPolicy: Always
---
apiVersion: v1
kind: Namespace
metadata:
labels:
profile: restricted-2023
name: perftest-restricted-2
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
looks like this request has enough votes. can we leave this open? @maxsmythe et al?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.