Last active
February 16, 2024 01:55
-
-
Save BobyMCbobs/0af3c38eaf3a902c83aa5bb40dc42768 to your computer and use it in GitHub Desktop.
Chainsaw test attempt for Knative with test Secure Defaults
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based off of | |
| # https://github.com/knative/serving/blob/main/test/e2e/securedefaults/secure_pod_defaults_test.go | |
| # - this is best scoped around a single resource to modify and test | |
| # - modifying the environment, such as through knative configmaps, doesn't seem to work for reverting the change on cleanup | |
| # - securedefault is an alpha feature so mileage may vary but this was a simple looking test to attempt | |
| --- | |
| apiVersion: chainsaw.kyverno.io/v1alpha1 | |
| kind: Test | |
| metadata: | |
| name: securedefaults | |
| spec: | |
| steps: | |
| - try: | |
| - apply: | |
| resource: | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: config-features | |
| namespace: knative-serving | |
| data: | |
| secure-pod-defaults: "enabled" | |
| - apply: | |
| resource: | |
| apiVersion: serving.knative.dev/v1 | |
| kind: Service | |
| metadata: | |
| name: securedefaults | |
| spec: | |
| template: | |
| spec: | |
| containers: | |
| - image: ghcr.io/knative/helloworld-go:latest | |
| env: | |
| - name: TARGET | |
| value: "Go Sample v1" | |
| - assert: | |
| resource: | |
| apiVersion: serving.knative.dev/v1 | |
| kind: Service | |
| metadata: | |
| name: securedefaults | |
| spec: | |
| template: | |
| spec: | |
| containers: | |
| - image: ghcr.io/knative/helloworld-go:latest | |
| name: user-container | |
| securityContext: | |
| capabilities: | |
| drop: | |
| - ALL | |
| runAsNonRoot: true | |
| allowPrivilegeEscalation: false | |
| seccompProfile: | |
| type: RuntimeDefault | |
| env: | |
| - name: TARGET | |
| value: "Go Sample v1" | |
| - apply: | |
| resource: | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: config-features | |
| namespace: knative-serving | |
| data: | |
| secure-pod-defaults: # undo Knative Serving config doesn't work | |
| - try: | |
| - apply: | |
| resource: | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: config-features | |
| namespace: knative-serving | |
| data: | |
| secure-pod-defaults: "enabled" | |
| - apply: | |
| resource: | |
| apiVersion: serving.knative.dev/v1 | |
| kind: Service | |
| metadata: | |
| name: unsafe-permitted | |
| spec: | |
| template: | |
| spec: | |
| containers: | |
| - image: ghcr.io/knative/helloworld-go:latest | |
| securityContext: | |
| capabilities: | |
| drop: [] | |
| runAsNonRoot: false | |
| allowPrivilegeEscalation: true | |
| seccompProfile: | |
| type: Unconfined | |
| env: | |
| - name: TARGET | |
| value: "Go Sample v1" | |
| - assert: | |
| resource: | |
| apiVersion: serving.knative.dev/v1 | |
| kind: Service | |
| metadata: | |
| name: unsafe-permitted | |
| spec: | |
| template: | |
| spec: | |
| containers: | |
| - image: ghcr.io/knative/helloworld-go:latest | |
| name: user-container | |
| securityContext: | |
| capabilities: | |
| drop: | |
| - ALL | |
| runAsNonRoot: true | |
| allowPrivilegeEscalation: false | |
| seccompProfile: | |
| type: RuntimeDefault | |
| env: | |
| - name: TARGET | |
| value: "Go Sample v1" | |
| - apply: | |
| resource: | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: config-features | |
| namespace: knative-serving | |
| data: | |
| secure-pod-defaults: # undo Knative Serving config doesn't work |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| cat << EOF | kind create cluster --config - | |
| --- | |
| apiVersion: kind.x-k8s.io/v1alpha4 | |
| kind: Cluster | |
| nodes: | |
| - role: control-plane | |
| image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245 | |
| extraPortMappings: | |
| - containerPort: 31080 | |
| listenAddress: 0.0.0.0 | |
| hostPort: 80 | |
| - containerPort: 31443 | |
| listenAddress: 0.0.0.0 | |
| hostPort: 443 | |
| EOF | |
| kubectl --context kind-kind apply -f https://github.com/knative/serving/releases/download/knative-v1.13.0/serving-crds.yaml | |
| kubectl --context kind-kind apply -f https://github.com/knative/serving/releases/download/knative-v1.13.0/serving-core.yaml | |
| kubectl --context kind-kind apply -f https://github.com/knative/net-kourier/releases/download/knative-v1.13.0/kourier.yaml | |
| kubectl --context kind-kind patch configmap/config-network \ | |
| --namespace knative-serving \ | |
| --type merge \ | |
| --patch '{"data":{"ingress-class":"kourier.ingress.networking.knative.dev"}}' | |
| kubectl --context kind-kind -n knative-serving patch cm config-domain -p '{"data":{"127.0.0.1.sslip.io": ""}}' | |
| kubectl --context kind-kind -n kourier-system patch svc kourier -p '{"spec":{"ports":[{"name":"http2","port":80,"nodePort":31080}]}}' | |
| kubectl --context kind-kind apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.yaml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment