fuzz

package
v1.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2024 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	Policies map[int]*BypassChecker

	LatestImageTagPolicy = []byte(`{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		   "name": "latest-image-tag-policy"
		},
		"spec": {
		   "rules": [
			  {
				 "name": "validate-tag",
				 "match": {
					"resources": {
					   "kinds": [
						  "Pod"
					   ]
					}
				 },
				 "validate": {
					"message": "An image tag is required",
					"pattern": {
					   "spec": {
						  "containers": [
							 {
								"image": "*:*"
							 }
						  ]
					   }
					}
				 }
			  },
			  {
				 "name": "validate-latest",
				 "match": {
					"resources": {
					   "kinds": [
						  "Pod"
					   ]
					}
				 },
				 "validate": {
					"message": "If the image has 'latest' tag then imagePullPolicy must be 'Always'",
					"pattern": {
					   "spec": {
						  "containers": [
							 {
								"(image)": "*latest",
								"imagePullPolicy": "Always"
							 }
						  ]
					   }
					}
				 }
			  }
		   ]
		}
	 }
	`)

	EqualityHostpathPolicy = []byte(`
	{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		   "name": "equality-hostpath-policy"
		},
		"spec": {
		   "rules": [
			  {
				 "name": "validate-host-path",
				 "match": {
					"resources": {
					   "kinds": [
						  "Pod"
					   ]
					}
				 },
				 "validate": {
					"message": "Host path '/var/lib/' is not allowed",
					"pattern": {
					   "spec": {
						  "volumes": [
							 {
								"=(hostPath)": {
								   "path": "!/var/lib"
								}
							 }
						  ]
					   }
					}
				 }
			  }
		   ]
		}
	 }
	 `)
	SecurityContextPolicy = []byte(`{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		   "name": "security-context-policy"
		},
		"spec": {
		   "rules": [
			  {
				 "name": "pod rule 2",
				 "match": {
					"resources": {
					   "kinds": [
						  "Pod"
					   ]
					}
				 },
				 "validate": {
					"message": "pod: validate run as non root user",
					"pattern": {
					   "spec": {
						  "=(securityContext)": {
							 "runAsNonRoot": true
						  }
					   }
					}
				 }
			  }
		   ]
		}
	 }`)

	ContainerNamePolicy = []byte(`
	{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		  "name": "container-name-policy"
		},
		"spec": {
		  "rules": [
			{
			  "name": "pod image rule",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "validate": {
				"pattern": {
				  "spec": {
					"=(containers)": [
					  {
						"name": "nginx"
					  }
					]
				  }
				}
			  }
			}
		  ]
		}
	  }`)

	PodExistencePolicy = []byte(`
	{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		  "name": "pod-existence-policy"
		},
		"spec": {
		  "rules": [
			{
			  "name": "pod image rule",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "validate": {
				"pattern": {
				  "spec": {
					"^(containers)": [
					  {
						"name": "nginx"
					  }
					]
				  }
				}
			  }
			}
		  ]
		}
	  }
		 `)

	HostPathCannotExistPolicy = []byte(`
	{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		  "name": "host-path-cannot-exist-policy"
		},
		"spec": {
		  "rules": [
			{
			  "name": "validate-host-path",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "validate": {
				"message": "Host path is not allowed",
				"pattern": {
				  "spec": {
					"volumes": [
					  {
						"name": "*",
						"X(hostPath)": null
					  }
					]
				  }
				}
			  }
			}
		  ]
		}
	  }
	 `)
	NamespaceCannotBeEmptyOrDefaultPolicy = []byte(`
	{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		   "name": "namespace-cannot-be-empty-or-default-policy"
		},
		"spec": {
		   "rules": [
			  {
				 "name": "check-default-namespace",
				 "match": {
					"resources": {
					   "kinds": [
						  "Pod"
					   ]
					}
				 },
				 "validate": {
					"message": "A namespace is required",
					"anyPattern": [
					   {
						  "metadata": {
							 "namespace": "?*"
						  }
					   },
					   {
						  "metadata": {
							 "namespace": "!default"
						  }
					   }
					]
				 }
			  }
		   ]
		}
	 }
	`)

	HostnetworkAndPortNotAllowedPolicy = []byte(`
	{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		   "name": "hostnetwork-and-port-not-allowed-policy"
		},
		"spec": {
		   "rules": [
			  {
				 "name": "validate-host-network-port",
				 "match": {
					"resources": {
					   "kinds": [
						  "Pod"
					   ]
					}
				 },
				 "validate": {
					"message": "Host network and port are not allowed",
					"pattern": {
					   "spec": {
						  "hostNetwork": false,
						  "containers": [
							 {
								"name": "*",
								"ports": [
								   {
									  "hostPort": null
								   }
								]
							 }
						  ]
					   }
					}
				 }
			  }
		   ]
		}
	 }
	 `)

	SupplementalGroupsShouldBeHigherThanZeroPolicy = []byte(`{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		   "name": "supplemental-groups-should-be-higher-than-zero-policy"
		},
		"spec": {
		   "rules": [
			  {
				 "name": "pod rule 2",
				 "match": {
					"resources": {
					   "kinds": [
						  "Pod"
					   ]
					}
				 },
				 "validate": {
					"message": "pod: validate run as non root user",
					"pattern": {
					   "spec": {
						  "=(supplementalGroups)": ">0"
					   }
					}
				 }
			  }
		   ]
		}
	 }	 `)

	SupplementalGroupsShouldBeBetween = []byte(`{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		   "name": "supplemental-groups-should-be-between"
		},
		"spec": {
		   "rules": [
			  {
				 "name": "pod rule 2",
				 "match": {
					"resources": {
					   "kinds": [
						  "Pod"
					   ]
					}
				 },
				 "validate": {
					"message": "pod: validate run as non root user",
					"pattern": {
					   "spec": {
						"=(supplementalGroups)": [
							">0 & <100001"
						  ]
					   }
					}
				 }
			  }
		   ]
		}
	 }	 `)

	ShouldHaveMoreMemoryThanFirstContainer = []byte(`{
		"apiVersion": "kyvernov1.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		   "name": "should-have-more-memory-than-first-container"
		},
		"spec": {
		   "rules": [
				{
					"name": "validate-host-network-port",
					"match": {
						"resources": {
					   		"kinds": [
						  		"Pod"
					   		]
						}
				 	},
				 	"validate": {
						"message": "Host network and port are not allowed",
						"pattern": {
					   		"spec":{
								"containers":[
									{
										"name":"*",
										"resources":{
											"requests":{
												"memory":"$(<=/spec/containers/0/resources/limits/memory)"
											},
											"limits":{
												"memory":"2048Mi"
											}
										}
									}
								]
							}
						}
				 	}
			  	}
		   	]
		}
	}	 `)
)

Functions

func CreatePolicySpec 

func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error)

func CreateUnstructuredObject 

func CreateUnstructuredObject(f *fuzz.ConsumeFuzzer, typeToCreate string) (*unstructured.Unstructured, error)

Creates an unstructured k8s object

func GetK8sString 

func GetK8sString(ff *fuzz.ConsumeFuzzer) (string, error)

func InitFuzz 

func InitFuzz()

func ShouldBlockContainerName 

func ShouldBlockContainerName(pod *corev1.Pod) (bool, error)

func ShouldBlockContainerNameExistenceAnchor 

func ShouldBlockContainerNameExistenceAnchor(pod *corev1.Pod) (bool, error)

func ShouldBlockEquality 

func ShouldBlockEquality(pod *corev1.Pod) (bool, error)

func ShouldBlockIfHostPathExists 

func ShouldBlockIfHostPathExists(pod *corev1.Pod) (bool, error)

func ShouldBlockIfHostnetworkOrPortAreSpecified 

func ShouldBlockIfHostnetworkOrPortAreSpecified(pod *corev1.Pod) (bool, error)

func ShouldBlockIfLessMemoryThanFirstContainer 

func ShouldBlockIfLessMemoryThanFirstContainer(pod *corev1.Pod) (bool, error)

func ShouldBlockIfNamespaceIsEmptyOrDefault 

func ShouldBlockIfNamespaceIsEmptyOrDefault(pod *corev1.Pod) (bool, error)

func ShouldBlockIfSupplementalGroupsExistAndAreLessThanZero 

func ShouldBlockIfSupplementalGroupsExistAndAreLessThanZero(pod *corev1.Pod) (bool, error)

func ShouldBlockIfSupplementalGroupsExistAndIsNotBetween 

func ShouldBlockIfSupplementalGroupsExistAndIsNotBetween(pod *corev1.Pod) (bool, error)

func ShouldBlockImageTag 

func ShouldBlockImageTag(pod *corev1.Pod) (bool, error)

func ShouldBlockSecurityPolicy 

func ShouldBlockSecurityPolicy(pod *corev1.Pod) (bool, error)

if there is a security policy, then RunAsNonRoot must be true

Types

type BypassChecker 

type BypassChecker struct {
	ResourceType  string
	ShouldBlock   func(*corev1.Pod) (bool, error)
	ClusterPolicy *kyvernov1.ClusterPolicy
}

type DynamicFuzz 

type DynamicFuzz struct {
	// contains filtered or unexported fields
}

func (DynamicFuzz) Resource 

func (df DynamicFuzz) Resource(resource schema.GroupVersionResource) dynamic.NamespaceableResourceInterface

type FuzzIDiscovery 

type FuzzIDiscovery struct {
	// contains filtered or unexported fields
}

func (FuzzIDiscovery) CachedDiscoveryInterface 

func (fid FuzzIDiscovery) CachedDiscoveryInterface() discovery.CachedDiscoveryInterface

func (FuzzIDiscovery) FindResources 

func (fid FuzzIDiscovery) FindResources(group, version, kind, subresource string) (map[dclient.TopLevelApiDescription]metav1.APIResource, error)

func (FuzzIDiscovery) GetGVKFromGVR 

func (fid FuzzIDiscovery) GetGVKFromGVR(schema.GroupVersionResource) (schema.GroupVersionKind, error)

func (FuzzIDiscovery) GetGVRFromGVK 

func (fid FuzzIDiscovery) GetGVRFromGVK(schema.GroupVersionKind) (schema.GroupVersionResource, error)

func (FuzzIDiscovery) OpenAPISchema 

func (fid FuzzIDiscovery) OpenAPISchema() (*openapiv2.Document, error)

type FuzzInterface 

type FuzzInterface struct {
	FF *fuzz.ConsumeFuzzer
}

func (FuzzInterface) ApplyResource 

func (fi FuzzInterface) ApplyResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, obj interface{}, dryRun bool, fieldManager string, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzInterface) ApplyStatusResource 

func (fi FuzzInterface) ApplyStatusResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, obj interface{}, dryRun bool, fieldManager string) (*unstructured.Unstructured, error)

func (FuzzInterface) CreateResource 

func (fi FuzzInterface) CreateResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)

func (FuzzInterface) DeleteResource 

func (fi FuzzInterface) DeleteResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, dryRun bool) error

func (FuzzInterface) Discovery 

func (fi FuzzInterface) Discovery() dclient.IDiscovery

func (FuzzInterface) GetDynamicInterface 

func (fi FuzzInterface) GetDynamicInterface() dynamic.Interface

func (FuzzInterface) GetEventsInterface 

func (fi FuzzInterface) GetEventsInterface() eventsv1.EventsV1Interface

func (FuzzInterface) GetKubeClient 

func (fi FuzzInterface) GetKubeClient() kubernetes.Interface

func (FuzzInterface) GetResource 

func (fi FuzzInterface) GetResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzInterface) ListResource 

func (fi FuzzInterface) ListResource(ctx context.Context, apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error)

func (FuzzInterface) PatchResource 

func (fi FuzzInterface) PatchResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, patch []byte) (*unstructured.Unstructured, error)

func (FuzzInterface) RawAbsPath 

func (fi FuzzInterface) RawAbsPath(ctx context.Context, path string, method string, dataReader io.Reader) ([]byte, error)

func (FuzzInterface) SetDiscovery 

func (fi FuzzInterface) SetDiscovery(discoveryClient dclient.IDiscovery)

func (FuzzInterface) UpdateResource 

func (fi FuzzInterface) UpdateResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzInterface) UpdateStatusResource 

func (fi FuzzInterface) UpdateStatusResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)

type FuzzNamespaceableResource 

type FuzzNamespaceableResource struct {
	// contains filtered or unexported fields
}

func (FuzzNamespaceableResource) Apply 

func (fr FuzzNamespaceableResource) Apply(ctx context.Context, name string, obj *unstructured.Unstructured, options metav1.ApplyOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzNamespaceableResource) ApplyStatus 

func (fr FuzzNamespaceableResource) ApplyStatus(ctx context.Context, name string, obj *unstructured.Unstructured, options metav1.ApplyOptions) (*unstructured.Unstructured, error)

func (FuzzNamespaceableResource) Create 

func (fr FuzzNamespaceableResource) Create(ctx context.Context, obj *unstructured.Unstructured, options metav1.CreateOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzNamespaceableResource) Delete 

func (fr FuzzNamespaceableResource) Delete(ctx context.Context, name string, options metav1.DeleteOptions, subresources ...string) error

func (FuzzNamespaceableResource) DeleteCollection 

func (fr FuzzNamespaceableResource) DeleteCollection(ctx context.Context, options metav1.DeleteOptions, listOptions metav1.ListOptions) error

func (FuzzNamespaceableResource) Get 

func (fr FuzzNamespaceableResource) Get(ctx context.Context, name string, options metav1.GetOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzNamespaceableResource) List 

func (fr FuzzNamespaceableResource) List(ctx context.Context, opts metav1.ListOptions) (*unstructured.UnstructuredList, error)

func (FuzzNamespaceableResource) Namespace 

func (fnr FuzzNamespaceableResource) Namespace(string) dynamic.ResourceInterface

func (FuzzNamespaceableResource) Patch 

func (fr FuzzNamespaceableResource) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, options metav1.PatchOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzNamespaceableResource) Update 

func (fr FuzzNamespaceableResource) Update(ctx context.Context, obj *unstructured.Unstructured, options metav1.UpdateOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzNamespaceableResource) UpdateStatus 

func (fr FuzzNamespaceableResource) UpdateStatus(ctx context.Context, obj *unstructured.Unstructured, options metav1.UpdateOptions) (*unstructured.Unstructured, error)

func (FuzzNamespaceableResource) Watch 

func (fr FuzzNamespaceableResource) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)

type FuzzResource 

type FuzzResource struct {
	// contains filtered or unexported fields
}

func (FuzzResource) Apply 

func (fr FuzzResource) Apply(ctx context.Context, name string, obj *unstructured.Unstructured, options metav1.ApplyOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzResource) ApplyStatus 

func (fr FuzzResource) ApplyStatus(ctx context.Context, name string, obj *unstructured.Unstructured, options metav1.ApplyOptions) (*unstructured.Unstructured, error)

func (FuzzResource) Create 

func (fr FuzzResource) Create(ctx context.Context, obj *unstructured.Unstructured, options metav1.CreateOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzResource) Delete 

func (fr FuzzResource) Delete(ctx context.Context, name string, options metav1.DeleteOptions, subresources ...string) error

func (FuzzResource) DeleteCollection 

func (fr FuzzResource) DeleteCollection(ctx context.Context, options metav1.DeleteOptions, listOptions metav1.ListOptions) error

func (FuzzResource) Get 

func (fr FuzzResource) Get(ctx context.Context, name string, options metav1.GetOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzResource) List 

func (fr FuzzResource) List(ctx context.Context, opts metav1.ListOptions) (*unstructured.UnstructuredList, error)

func (FuzzResource) Patch 

func (fr FuzzResource) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, options metav1.PatchOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzResource) Update 

func (fr FuzzResource) Update(ctx context.Context, obj *unstructured.Unstructured, options metav1.UpdateOptions, subresources ...string) (*unstructured.Unstructured, error)

func (FuzzResource) UpdateStatus 

func (fr FuzzResource) UpdateStatus(ctx context.Context, obj *unstructured.Unstructured, options metav1.UpdateOptions) (*unstructured.Unstructured, error)

func (FuzzResource) Watch 

func (fr FuzzResource) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.