Merge branch 'main' into addPodSecurityBaselineChainsawTest

.github/actions/run-tests/action.yaml

@@ -0,0 +1,16 @@
+name: "Runs E2E Tests"
+description: "Runs E2E tests using chainsaw"
+inputs:
+  tests:
+    description: "Test regex"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Install Chainsaw
+      uses: kyverno/action-install-chainsaw@5d00c353f61f44f3b492c673420202d1b1374c3f # v0.2.6
+    - name: Test with Chainsaw
+      shell: bash
+      run: |
+        set -e
+        chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --no-color=false

.github/actions/setup-env/action.yaml

@@ -0,0 +1,51 @@
+name: "Setup Environment for E2E Tests"
+description: "Sets up the environment for the E2E workflows"
+inputs:
+  k8s-version:
+    description: "Kubernetes version"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Go
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      with:
+        go-version: ~1.21.1
+    - name: Install Tools
+      shell: bash
+      run: |
+        set -e
+        curl -LO "https://dl.k8s.io/release/${{ inputs.k8s-version }}/bin/linux/amd64/kubectl"
+        sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+    - name: Install kind
+      shell: bash
+      run: |
+        set -e
+        # For AMD64 / x86_64
+        [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64
+        # For ARM64
+        [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64
+        chmod +x ./kind
+        sudo mv ./kind /usr/local/bin/kind
+    - name: Install latest Kyverno CLI
+      uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0
+    - name: Create kind cluster
+      shell: bash
+      run: |
+        set -e
+        kind create cluster --image kindest/node:${{ inputs.k8s-version }} --config ./.github/kind.yml
+    - name: Install latest kyverno
+      shell: bash
+      run: |
+        set -e
+        kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
+    - name: Wait for kyverno ready
+      shell: bash
+      run: |
+        set -e
+        kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
+    - name: Install CRDs
+      shell: bash
+      run: |
+        set -e
+        kubectl apply -f ./.chainsaw/crds

.github/kind.yml

@@ -1,5 +1,7 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
+featureGates:
+  ProcMountType: true
 kubeadmConfigPatches:
   - |-
     kind: ClusterConfiguration

.github/workflows/cel-test.yml

@@ -0,0 +1,65 @@
+name: E2E Tests - CEL
+
+permissions: {}
+
+on:
+  workflow_dispatch: {}
+  pull_request:
+    branches:
+      - 'main'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  chainsaw:
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version:
+          - name: v1.25
+            version: v1.25.16
+          - name: v1.26
+            version: v1.26.14
+          - name: v1.27
+            version: v1.27.11
+          - name: v1.28
+            version: v1.28.7
+          - name: v1.29
+            version: v1.29.2
+        tests:
+          - ^argo-cel$
+          - ^aws-cel$
+          - ^best-practices-cel$
+          - ^consul-cel$
+          - ^flux-cel$
+          - ^istio-cel$
+          - ^kasten-cel$
+          - ^kubecost-cel$
+          - ^linkerd-cel$
+          - ^nginx-ingress-cel$
+          - ^openshift-cel$
+          - ^other-cel$/^a
+          - ^other-cel$/^[b-d]
+          - ^other-cel$/^[e-l]
+          - ^other-cel$/^[m-q]
+          - ^other-cel$/^re[c-q]
+          - ^other-cel$/^res
+          - ^other-cel$/^[s-z]
+          - ^pod-security-cel$
+          - ^psa-cel$
+          - ^traefik-cel$
+    runs-on: ubuntu-latest
+    name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Setup Environment
+        uses: ./.github/actions/setup-env
+        with:
+          k8s-version: ${{ matrix.k8s-version.version }}
+      - name: Run CEL Tests
+        uses: ./.github/actions/run-tests
+        with:
+          tests: ${{ matrix.tests }}

.github/workflows/check-actions.yaml

@@ -16,9 +16,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@76d1d8e0b075d7190b5d59b86da91c7bdbcc99b2 # v3.0.7
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # v3.0.10
         with:
           allowlist: |
             kyverno/chainsaw

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
       options: --user root
     steps:
       - name: Checkout code
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           path: policies
       - name: Run ah lint
@@ -33,21 +33,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           path: policies
       - name: Validate all policies
         run: ./.hack/verify-files-structure.sh
         working-directory: policies
       - name: Clone Kyverno
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: kyverno/kyverno
           path: kyverno
           # The target branch of a pull request or the branch/tag of a push
           ref: ${{ github.base_ref || github.ref_name }}
       - name: Set up Go 
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ~1.21.1
       - name: Test Policy
@@ -58,18 +58,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           path: policies
       - name: Checkout Kyverno
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: kyverno/kyverno
           path: kyverno
           # The target branch of a pull request or the branch/tag of a push
           ref: ${{ github.base_ref || github.ref_name }}
       - name: Set up Go 
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ~1.21.1
       - name: Lint policies

.github/workflows/test.yml

@@ -32,7 +32,6 @@ jobs:
           - ^argo$
           - ^aws$
           - ^best-practices$
-          - ^best-practices-cel$
           - ^castai$
           - ^cert-manager$
           - ^cleanup$
@@ -49,73 +48,28 @@ jobs:
           - ^nginx-ingress$
           - ^openshift$
           - ^other$/^a
-          - ^other-cel$/^a
           - ^other$/^[b-d]
-          - ^other-cel$/^[b-d]
           - ^other$/^[e-l]
-          - ^other-cel$/^[e-l]
           - ^other$/^[m-q]
-          - ^other-cel$/^[m-q]
           - ^other$/^re[c-q]
-          - ^other-cel$/^re[c-q]
           - ^other$/^res
-          - ^other-cel$/^res
           - ^other$/^[s-z]
-          - ^other-cel$/^res
           - ^pod-security$
-          - ^pod-security-cel$
           - ^psa$
           - ^psp-migration$
-          # - ^tekton
-          # - ^traefik
-          # - ^velero
+          - ^tekton$
+          - ^traefik$
+          - ^velero$
     runs-on: ubuntu-latest
     name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-      - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Setup Environment
+        uses: ./.github/actions/setup-env
         with:
-          go-version: ~1.21.1
-      - name: Install Tools
-        run: |
-          set -e
-          curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl"
-          sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
-      - name: Install kind
-        shell: bash
-        run: |
-          set -e
-          # For AMD64 / x86_64
-          [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64
-          # For ARM64
-          [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-      - name: Install latest Kyverno CLI
-        uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0
-      - name: Create kind cluster
-        run: |
-          set -e
-          kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml
-      - name: Install latest kyverno
-        run: |
-          set -e
-          kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
-      - name: Wait for kyverno ready
-        run: |
-          set -e
-          kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
-      - name: Install CRDs
-        run: |
-          set -e
-          kubectl apply -f ./.chainsaw/crds
-      - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
-      - name: Test with Chainsaw
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -e
-          chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --no-color=false
+          k8s-version: ${{ matrix.k8s-version.version }}
+      - name: Run Tests
+        uses: ./.github/actions/run-tests
+        with:
+          tests: ${{ matrix.tests }}

argo-cel/application-field-validation/.chainsaw-test/README.md

@@ -0,0 +1,15 @@
+## Description
+
+This is an automated test of the sample policy in this directory.
+
+## Expected Behavior
+
+A policy report should be generated in which the following results are observed:
+
+* `badapp01` fails for the rule `source-path-chart` and passes for the rule `destination-server-name`
+* `badapp02` fails for the rule `destination-server-name` and passes for the rule `source-path-chart`
+* `goodapp01` passes for both rules
+
+## Reference Issue(s)
+
+N/A

argo-cel/application-field-validation/.chainsaw-test/bad-application.yaml

@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: badapp01
+  namespace: default
+spec:
+  project: foo
+  source:
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+    path: guestbook
+    chart: foo
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: guestbook
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: badapp02
+  namespace: default
+spec:
+  project: bar
+  source:
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+    path: guestbook
+  destination:
+    server: https://kubernetes.default.svc
+    name: foobar
+    namespace: guestbook

argo-cel/application-field-validation/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,35 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: application-field-validation
+spec:
+  steps:
+  - name: step-01
+    try:
+    - assert:
+        file: crd-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../application-field-validation.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: application-field-validation
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: good-application.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-application.yaml