From afeef59a972cd6a07adfa5ebc3ce422395a589f0 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 14 May 2024 19:08:01 -0400 Subject: [PATCH 01/10] add policy Signed-off-by: Boris 'B' Kurktchiev --- ...lusteradmin-rolebindings-gcp-2024-003.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml new file mode 100644 index 000000000..5fa5bbdc9 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusteradmin-rolebindings-gcp-2024-003 +spec: + validationFailureAction: Enforce + rules: + - name: validate-restricted-cluster-admin-bindings + match: + resources: + kinds: + - ClusterRoleBinding + - RoleBinding + validate: + message: "Binding ClusterRole 'cluster-admin' is restricted, system:authenticated, system:unauthenticated and system:anonymous are not allowed. GCP-2024-003" + deny: + conditions: + all: + - key: "{{ request.object.subjects[].name }}" + operator: AnyIn + value: + - system:authenticated + - system:unauthenticated + - system:anonymous + - key: "{{ request.object.roleRef.name }}" + operator: Equals + value: "cluster-admin" From 630a4b7ca07708845e0504a319e2b8464fb939e0 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 12:35:54 -0400 Subject: [PATCH 02/10] add annotations and artifact hub Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 18 ++++++++++++++++++ ...clusteradmin-rolebindings-gcp-2024-003.yaml | 7 +++++++ 2 files changed, 25 insertions(+) create mode 100644 other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml new file mode 100644 index 000000000..772685da4 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml @@ -0,0 +1,18 @@ +name: restrict-clusteradmin-rolebindings-gcp-2024-003 +version: 1.0.0 +displayName: Restrict ClusterAdmin RoleBindings (GCP-2024-003) +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. +install: |- + \```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml + \``` +keywords: + - kyverno + - Security +readme: | + The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. +annotations: + kyverno/category: "Security" + kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC" diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml index 5fa5bbdc9..1385afead 100644 --- a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml @@ -2,6 +2,13 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: restrict-clusteradmin-rolebindings-gcp-2024-003 + annotations: + policies.kyverno.io/title: "Restrict ClusterAdmin RoleBindings (GCP-2024-003)" + policies.kyverno.io/category: "Security" + policies.kyverno.io/severity: "medium" + policies.kyverno.io/subject: "RoleBinding, ClusterRoleBinding, RBAC" + policies.kyverno.io/description: >- + The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. spec: validationFailureAction: Enforce rules: From bb0d25adc6cd5969dedcc5ac562a7012969c6f51 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 14:37:20 -0400 Subject: [PATCH 03/10] switch to audit mode Signed-off-by: Boris 'B' Kurktchiev --- .../restrict-clusteradmin-rolebindings-gcp-2024-003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml index 1385afead..1eb17d422 100644 --- a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. spec: - validationFailureAction: Enforce + validationFailureAction: Audit rules: - name: validate-restricted-cluster-admin-bindings match: From 133372626d3c223bd0579c5a680fd067c3bc77d0 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 15:43:04 -0400 Subject: [PATCH 04/10] start adding test objects Signed-off-by: Boris 'B' Kurktchiev --- .../.kyverno-test/bad-clusterrolebinding.yaml | 11 +++++++++++ .../.kyverno-test/bad-rolebinding.yaml | 12 ++++++++++++ .../.kyverno-test/good-clusterrolebinding.yaml | 11 +++++++++++ .../.kyverno-test/good-rolebinding.yaml | 12 ++++++++++++ 4 files changed, 46 insertions(+) create mode 100644 other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-clusterrolebinding.yaml create mode 100644 other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-rolebinding.yaml create mode 100644 other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-clusterrolebinding.yaml create mode 100644 other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-rolebinding.yaml diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-clusterrolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-clusterrolebinding.yaml new file mode 100644 index 000000000..8057ff6b8 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-clusterrolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: bad-clusterrolebinding +subjects: +- kind: Group + name: system:unauthenticated +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-rolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-rolebinding.yaml new file mode 100644 index 000000000..f3f44e53b --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: bad-rolebinding + namespace: default +subjects: +- kind: Group + name: system:authenticated +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-clusterrolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-clusterrolebinding.yaml new file mode 100644 index 000000000..14d35b8d2 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-clusterrolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: good-clusterrolebinding +subjects: +- kind: User + name: jane.doe +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-rolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-rolebinding.yaml new file mode 100644 index 000000000..291827b14 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: good-rolebinding + namespace: default +subjects: +- kind: User + name: john.doe +roleRef: + kind: Role + name: admin + apiGroup: rbac.authorization.k8s.io From e8d49fb1d82bcb6c25f94f1cb7cfccd1c0ea89f6 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Mon, 29 Jul 2024 17:06:36 -0400 Subject: [PATCH 05/10] add annotations Signed-off-by: Boris 'B' Kurktchiev --- .../restrict-clusteradmin-rolebindings-gcp-2024-003.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml index 1eb17d422..53917be6f 100644 --- a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml @@ -7,6 +7,8 @@ metadata: policies.kyverno.io/category: "Security" policies.kyverno.io/severity: "medium" policies.kyverno.io/subject: "RoleBinding, ClusterRoleBinding, RBAC" + kyverno.io/kubernetes-version: 1.27 + kyverno.io/kyverno-version: 1.10 policies.kyverno.io/description: >- The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. spec: From df72ee5175ac758e4dffb9f64cae47ab07fc03ea Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 10:28:28 -0400 Subject: [PATCH 06/10] update annotations Signed-off-by: Boris 'B' Kurktchiev --- ...estrict-clusteradmin-rolebindings-gcp-2024-003.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml index 53917be6f..4f1647394 100644 --- a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml @@ -3,14 +3,16 @@ kind: ClusterPolicy metadata: name: restrict-clusteradmin-rolebindings-gcp-2024-003 annotations: - policies.kyverno.io/title: "Restrict ClusterAdmin RoleBindings (GCP-2024-003)" - policies.kyverno.io/category: "Security" - policies.kyverno.io/severity: "medium" - policies.kyverno.io/subject: "RoleBinding, ClusterRoleBinding, RBAC" + policies.kyverno.io/title: Restrict ClusterAdmin RoleBindings (GCP-2024-003) + policies.kyverno.io/category: Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding kyverno.io/kubernetes-version: 1.27 kyverno.io/kyverno-version: 1.10 policies.kyverno.io/description: >- The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ spec: validationFailureAction: Audit rules: From 1fb91843faf9c03f7bb091d7f7bfdd43e916abbd Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 12:40:17 -0400 Subject: [PATCH 07/10] make changes Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml index 772685da4..b6b50783a 100644 --- a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml @@ -5,9 +5,9 @@ createdAt: "2023-04-10T20:30:03.000Z" description: >- The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. install: |- - \```shell + ```shell kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml - \``` + ``` keywords: - kyverno - Security @@ -15,4 +15,5 @@ readme: | The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources to the system:authenticated, system:unauthenticated, and system:anonymous subjects. annotations: kyverno/category: "Security" - kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC" + kyverno/subject: "RoleBinding, ClusterRoleBinding" +digest: From d8d63d012ffc642761a42cb3d58a589a3929552f Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Wed, 31 Jul 2024 13:47:36 -0400 Subject: [PATCH 08/10] add digest Signed-off-by: Boris 'B' Kurktchiev --- .../artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml index b6b50783a..a5dc728f0 100644 --- a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/artifacthub-pkg.yml @@ -16,4 +16,4 @@ readme: | annotations: kyverno/category: "Security" kyverno/subject: "RoleBinding, ClusterRoleBinding" -digest: +digest: 9220d6071d8faccd37995e3fdf7b8db036b0e499268eb38993587016a0c1120e From 8f4b2fa87af76015a107879d20ea84b2c641dcc4 Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 6 Aug 2024 09:32:44 -0400 Subject: [PATCH 09/10] fix match block Signed-off-by: Boris 'B' Kurktchiev --- .../restrict-clusteradmin-rolebindings-gcp-2024-003.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml index 4f1647394..d3500c4c7 100644 --- a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/restrict-clusteradmin-rolebindings-gcp-2024-003.yaml @@ -18,10 +18,11 @@ spec: rules: - name: validate-restricted-cluster-admin-bindings match: - resources: - kinds: - - ClusterRoleBinding - - RoleBinding + any: + - resources: + kinds: + - ClusterRoleBinding + - RoleBinding validate: message: "Binding ClusterRole 'cluster-admin' is restricted, system:authenticated, system:unauthenticated and system:anonymous are not allowed. GCP-2024-003" deny: From 82024d794f1e17ada531e1ea96392a319010ddfc Mon Sep 17 00:00:00 2001 From: Boris 'B' Kurktchiev Date: Tue, 6 Aug 2024 16:35:19 -0400 Subject: [PATCH 10/10] get started on tests Signed-off-by: Boris 'B' Kurktchiev --- .../bad-clusterrolebinding.yaml | 0 .../bad-rolebinding.yaml | 0 .../chainsaw-step-01-assert-1.yaml | 5 ++++ .../.chainsaw-test/chainsaw-test.yaml | 29 +++++++++++++++++++ .../good-clusterrolebinding.yaml | 0 .../good-rolebinding.yaml | 0 6 files changed, 34 insertions(+) rename other/restrict-clusteradmin-rolebindings-gcp-2024-003/{.kyverno-test => .chainsaw-test}/bad-clusterrolebinding.yaml (100%) rename other/restrict-clusteradmin-rolebindings-gcp-2024-003/{.kyverno-test => .chainsaw-test}/bad-rolebinding.yaml (100%) create mode 100644 other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100644 other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-test.yaml rename other/restrict-clusteradmin-rolebindings-gcp-2024-003/{.kyverno-test => .chainsaw-test}/good-clusterrolebinding.yaml (100%) rename other/restrict-clusteradmin-rolebindings-gcp-2024-003/{.kyverno-test => .chainsaw-test}/good-rolebinding.yaml (100%) diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-clusterrolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-clusterrolebinding.yaml similarity index 100% rename from other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-clusterrolebinding.yaml rename to other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-clusterrolebinding.yaml diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-rolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-rolebinding.yaml similarity index 100% rename from other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/bad-rolebinding.yaml rename to other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/bad-rolebinding.yaml diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100644 index 000000000..90fd6e264 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,5 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secrets-not-from-env-vars-cve-2024-3177 + ready: true diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-test.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..0c0e46434 --- /dev/null +++ b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: secrets-not-from-env-vars-cve-2024-3177 +spec: + steps: + - name: step-01 + try: + - apply: + file: ../secrets-not-from-env-vars-cve-2024-3177.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: secrets-not-from-env-vars-cve-2024-3177 + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: good-pod.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-clusterrolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-clusterrolebinding.yaml similarity index 100% rename from other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-clusterrolebinding.yaml rename to other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-clusterrolebinding.yaml diff --git a/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-rolebinding.yaml b/other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-rolebinding.yaml similarity index 100% rename from other/restrict-clusteradmin-rolebindings-gcp-2024-003/.kyverno-test/good-rolebinding.yaml rename to other/restrict-clusteradmin-rolebindings-gcp-2024-003/.chainsaw-test/good-rolebinding.yaml