From e590728d1a6d34f6274c8b87f573dc8914c5128a Mon Sep 17 00:00:00 2001 From: Chris Nesbitt-Smith Date: Thu, 12 May 2022 22:19:34 +0100 Subject: [PATCH] fix acount>account typo in department label/tag and add test cases (#6) * fix acount>account typo in department label/tag and add test cases * bump version --- .../require-known-department-label/pass2.tf | 20 +++++++++++++++++++ .../policy.yaml | 2 +- kubernetes/kyverno/kustomization.yaml | 4 ++-- .../require-department-label/fail0.yaml | 2 +- .../require-department-label/pass0.yaml | 2 +- .../require-department-label/policy.yaml | 2 +- .../require-department-label/skip0.yaml | 2 +- .../require-department-label/skip1.yaml | 2 +- .../require-known-department-label/fail0.yaml | 2 +- .../require-known-department-label/pass0.yaml | 2 +- .../require-known-department-label/pass1.yaml | 11 ++++++++++ .../policy.yaml | 6 +++--- .../require-known-department-label/skip0.yaml | 2 +- .../require-known-department-label/skip1.yaml | 2 +- .../require-known-department-label/test.yaml | 6 ++++++ 15 files changed, 52 insertions(+), 15 deletions(-) create mode 100644 infra/checkov/require-known-department-label/pass2.tf create mode 100644 kubernetes/kyverno/require-known-department-label/pass1.yaml diff --git a/infra/checkov/require-known-department-label/pass2.tf b/infra/checkov/require-known-department-label/pass2.tf new file mode 100644 index 000000000..1ff6a779d --- /dev/null +++ b/infra/checkov/require-known-department-label/pass2.tf @@ -0,0 +1,20 @@ +resource "aws_s3_bucket" "b" { + bucket = "my-tf-test-bucket" + tags = { + mycompany.com.department = "accounts" + } +} + +resource "aws_ami" "example" { + name = "terraform-example" + virtualization_type = "hvm" + root_device_name = "/dev/xvda" + tags = { + mycompany.com.department = "accounts" + } + ebs_block_device { + device_name = "/dev/xvda" + snapshot_id = "snap-xxxxxxxx" + volume_size = 8 + } +} \ No newline at end of file diff --git a/infra/checkov/require-known-department-label/policy.yaml b/infra/checkov/require-known-department-label/policy.yaml index ad86d8e22..551c27dab 100644 --- a/infra/checkov/require-known-department-label/policy.yaml +++ b/infra/checkov/require-known-department-label/policy.yaml @@ -20,7 +20,7 @@ definition: resource_types: "all" attribute: 'tags.mycompany.com.department' operator: "equals" - value: acounts + value: accounts - cond_type: "attribute" resource_types: "all" attribute: 'tags.mycompany.com.department' diff --git a/kubernetes/kyverno/kustomization.yaml b/kubernetes/kyverno/kustomization.yaml index ffc80269c..425911a87 100644 --- a/kubernetes/kyverno/kustomization.yaml +++ b/kubernetes/kyverno/kustomization.yaml @@ -1,10 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -nameSuffix: "-2.0.0" +nameSuffix: "-2.1.0" commonLabels: - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" resources: - require-department-label/policy.yaml diff --git a/kubernetes/kyverno/require-department-label/fail0.yaml b/kubernetes/kyverno/require-department-label/fail0.yaml index a28943925..21a7c5bed 100644 --- a/kubernetes/kyverno/require-department-label/fail0.yaml +++ b/kubernetes/kyverno/require-department-label/fail0.yaml @@ -3,7 +3,7 @@ kind: Pod metadata: name: require-department-label-fail0 labels: - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" spec: containers: - name: nginx diff --git a/kubernetes/kyverno/require-department-label/pass0.yaml b/kubernetes/kyverno/require-department-label/pass0.yaml index 780887632..c8ad48a34 100644 --- a/kubernetes/kyverno/require-department-label/pass0.yaml +++ b/kubernetes/kyverno/require-department-label/pass0.yaml @@ -4,7 +4,7 @@ metadata: name: require-department-label-pass0 labels: mycompany.com/department: finance - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" spec: containers: - name: nginx diff --git a/kubernetes/kyverno/require-department-label/policy.yaml b/kubernetes/kyverno/require-department-label/policy.yaml index 854f87c49..425894010 100644 --- a/kubernetes/kyverno/require-department-label/policy.yaml +++ b/kubernetes/kyverno/require-department-label/policy.yaml @@ -39,7 +39,7 @@ spec: - "*" selector: matchLabels: - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" validate: message: "The label `mycompany.com/department` is required." pattern: diff --git a/kubernetes/kyverno/require-department-label/skip0.yaml b/kubernetes/kyverno/require-department-label/skip0.yaml index fac48c794..4910dd1e8 100644 --- a/kubernetes/kyverno/require-department-label/skip0.yaml +++ b/kubernetes/kyverno/require-department-label/skip0.yaml @@ -4,7 +4,7 @@ metadata: name: require-department-label-skip0 labels: mycompany.com/require-department-label: exempt - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" spec: containers: - name: nginx diff --git a/kubernetes/kyverno/require-department-label/skip1.yaml b/kubernetes/kyverno/require-department-label/skip1.yaml index 3bfc68e43..17b90ec00 100644 --- a/kubernetes/kyverno/require-department-label/skip1.yaml +++ b/kubernetes/kyverno/require-department-label/skip1.yaml @@ -4,7 +4,7 @@ metadata: name: require-department-label-skip1 namespace: kube-system labels: - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" spec: containers: - name: nginx diff --git a/kubernetes/kyverno/require-known-department-label/fail0.yaml b/kubernetes/kyverno/require-known-department-label/fail0.yaml index be3343b11..260aafef8 100644 --- a/kubernetes/kyverno/require-known-department-label/fail0.yaml +++ b/kubernetes/kyverno/require-known-department-label/fail0.yaml @@ -4,7 +4,7 @@ metadata: name: require-known-department-label-fail0 labels: mycompany.com/department: nothr - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" spec: containers: - name: nginx diff --git a/kubernetes/kyverno/require-known-department-label/pass0.yaml b/kubernetes/kyverno/require-known-department-label/pass0.yaml index 0d4b3a952..e98987295 100644 --- a/kubernetes/kyverno/require-known-department-label/pass0.yaml +++ b/kubernetes/kyverno/require-known-department-label/pass0.yaml @@ -4,7 +4,7 @@ metadata: name: require-known-department-label-pass0 labels: mycompany.com/department: hr - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" spec: containers: - name: nginx diff --git a/kubernetes/kyverno/require-known-department-label/pass1.yaml b/kubernetes/kyverno/require-known-department-label/pass1.yaml new file mode 100644 index 000000000..6aab33dae --- /dev/null +++ b/kubernetes/kyverno/require-known-department-label/pass1.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: require-known-department-label-pass1 + labels: + mycompany.com/department: accounts + mycompany.com/policy-version: "2.1.0" +spec: + containers: + - name: nginx + image: nginx \ No newline at end of file diff --git a/kubernetes/kyverno/require-known-department-label/policy.yaml b/kubernetes/kyverno/require-known-department-label/policy.yaml index 7250255d6..da45e1536 100644 --- a/kubernetes/kyverno/require-known-department-label/policy.yaml +++ b/kubernetes/kyverno/require-known-department-label/policy.yaml @@ -39,10 +39,10 @@ spec: - "*" selector: matchLabels: - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" validate: - message: "The label `mycompany.com/department` is required to be one of [tech|acounts|servicedesk|hr]" + message: "The label `mycompany.com/department` is required to be one of [tech|accounts|servicedesk|hr]" pattern: metadata: labels: - "mycompany.com/department": "tech|acounts|servicedesk|hr" \ No newline at end of file + "mycompany.com/department": "tech|accounts|servicedesk|hr" \ No newline at end of file diff --git a/kubernetes/kyverno/require-known-department-label/skip0.yaml b/kubernetes/kyverno/require-known-department-label/skip0.yaml index 144aca96c..372121270 100644 --- a/kubernetes/kyverno/require-known-department-label/skip0.yaml +++ b/kubernetes/kyverno/require-known-department-label/skip0.yaml @@ -4,7 +4,7 @@ metadata: name: require-known-department-label-skip0 labels: mycompany.com/require-known-department-label: exempt - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" spec: containers: - name: nginx diff --git a/kubernetes/kyverno/require-known-department-label/skip1.yaml b/kubernetes/kyverno/require-known-department-label/skip1.yaml index a42b2b257..3fb4bf4a3 100644 --- a/kubernetes/kyverno/require-known-department-label/skip1.yaml +++ b/kubernetes/kyverno/require-known-department-label/skip1.yaml @@ -4,7 +4,7 @@ metadata: name: require-known-department-label-skip1 namespace: kube-system labels: - mycompany.com/policy-version: "2.0.0" + mycompany.com/policy-version: "2.1.0" spec: containers: - name: nginx diff --git a/kubernetes/kyverno/require-known-department-label/test.yaml b/kubernetes/kyverno/require-known-department-label/test.yaml index 9c6c3a8a9..cdf780515 100644 --- a/kubernetes/kyverno/require-known-department-label/test.yaml +++ b/kubernetes/kyverno/require-known-department-label/test.yaml @@ -6,6 +6,7 @@ policies: resources: - fail0.yaml - pass0.yaml + - pass1.yaml - skip0.yaml - skip1.yaml @@ -20,6 +21,11 @@ results: resource: require-known-department-label-pass0 kind: Pod result: pass +- policy: require-known-department-label + rule: require-known-department-label + resource: require-known-department-label-pass1 + kind: Pod + result: pass - policy: require-known-department-label rule: require-known-department-label resource: require-known-department-label-skip0