search

kubewarden / kubewarden-end-to-end-tests

Files used to run Kubewarden end-to-end tests
https://kubewarden.io
Apache License 2.0
2 stars 6 forks source link

Check audit scanner namespaced and clusterwide reports. #67

Closed jvanz closed 1 year ago

jvanz commented 1 year ago

Description

Adds tests to install all the required resources, trigger the audit scanner and check if the generated reports for the default namespace and clusterwide resources are right.

Fix https://github.com/kubewarden/kubewarden-controller/issues/478

Test

make KUBEWARDEN_CHARTS_LOCATION=<path to latest helm chart version> clean cluster install audit-scanner.bats
jvanz commented 1 year ago

LGTM, but I would like to expand it so we have a pass and a fail test for both clusterwide scans and namespaced scans.

We already have pass and failure to the namespaced scans. However, afaics, there is no policy that target cluster wide resources that reject request. We have only the PSA label enforcer policy which mutate the request. It does not block it.

jvanz commented 1 year ago

@kubewarden/kubewarden-developers be aware that I've added tests to check if the audit scanner is generating metrics.

viccuad commented 1 year ago

We already have pass and failure to the namespaced scans. However, afaics, there is no policy that target cluster wide resources that reject request. We have only the PSA label enforcer policy which mutate the request. It does not block it.

We could deploy a safe-labels policy, that rejects if there's a label present, and that targets a clusterwide resource. For example:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  annotations:
    io.kubewarden.policy.category: Resource validation
    io.kubewarden.policy.severity: low
  name: safe-labels
spec:
  module: registry://ghcr.io/kubewarden/policies/safe-labels:v0.1.13
  settings:
    denied_labels:
      - cost-center
  mode: monitor
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - "v1"
      resources:
        - "PersistentVolume" # changed from *
      operations:
        - CREATE
        - UPDATE
  mutating: false
  backgroundAudit: true # changed
apiVersion: v1
kind: PersistentVolume
metadata:
  name: example-pv
  labels:
    cost-center: "123"
spec:
  capacity:
    storage: 1M
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Delete
  storageClassName: local-storage
  local:
    path: /mnt/disks/ssd1
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: NotIn
              values:
                - example-node

(or simpler, a labelled namespace)

viccuad commented 1 year ago

Edited my previous comment, note that the apiGroups and apiVersion must also not be *.

jvanz commented 1 year ago

@viccuad you're right. I was distracted and missed how to properly test this. Sorry.

I've updated the tests adding a new resource and policy that will cause a fail evaluation.