From 423bd9bc8a7d016d2eab2819361a9d17d4f1ebca Mon Sep 17 00:00:00 2001 From: Mason Malone <651224+MasonM@users.noreply.github.com> Date: Thu, 16 Jan 2025 22:08:27 -0800 Subject: [PATCH] test: get rid of automated tests and cleanup Signed-off-by: Mason Malone <651224+MasonM@users.noreply.github.com> --- docs/fields.md | 22 +++++++++++++ ...o-dangerous-interpolation-vap-binding.yaml | 15 +++++++++ .../argo-dangerous-interpolation-vap.yaml | 1 - .../rejected-workflow.yaml | 31 +++++++++++++++++++ examples/validation_test.go | 2 +- test/e2e/executor_plugins_test.go | 12 ------- ...o-dangerous-interpolation-vap-binding.yaml | 12 ------- test/e2e/manifests/plugins/kustomization.yaml | 2 -- .../dangerous-interpolation-container.yaml | 18 ----------- .../vap/dangerous-interpolation-script.yaml | 17 ---------- 10 files changed, 69 insertions(+), 63 deletions(-) create mode 100644 examples/validating-admission-policies/argo-dangerous-interpolation-vap-binding.yaml rename examples/{ => validating-admission-policies}/argo-dangerous-interpolation-vap.yaml (96%) create mode 100644 examples/validating-admission-policies/rejected-workflow.yaml delete mode 100644 test/e2e/manifests/plugins/argo-dangerous-interpolation-vap-binding.yaml delete mode 100644 test/e2e/testdata/vap/dangerous-interpolation-container.yaml delete mode 100644 test/e2e/testdata/vap/dangerous-interpolation-script.yaml diff --git a/docs/fields.md b/docs/fields.md index 85999b50bf75..4a1210133ea9 100644 --- a/docs/fields.md +++ b/docs/fields.md @@ -341,6 +341,8 @@ Workflow is the definition of a workflow resource - [`title-and-description-with-markdown.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/title-and-description-with-markdown.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`volumes-emptydir.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-emptydir.yaml) - [`volumes-existing.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-existing.yaml) @@ -799,6 +801,8 @@ WorkflowSpec is the specification of a Workflow. - [`title-and-description-with-markdown.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/title-and-description-with-markdown.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`volumes-emptydir.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-emptydir.yaml) - [`volumes-existing.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-existing.yaml) @@ -1252,6 +1256,8 @@ CronWorkflowSpec is the specification of a CronWorkflow - [`title-and-description-with-markdown.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/title-and-description-with-markdown.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`volumes-emptydir.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-emptydir.yaml) - [`volumes-existing.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-existing.yaml) @@ -1500,6 +1506,8 @@ Arguments to a template - [`synchronization-mutex-tmpl-level.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/synchronization-mutex-tmpl-level.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`work-avoidance.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/work-avoidance.yaml) - [`event-consumer-workfloweventbinding.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/workflow-event-binding/event-consumer-workfloweventbinding.yaml) @@ -2348,6 +2356,8 @@ Parameter indicate a passed string parameter to a service template with an optio - [`synchronization-mutex-tmpl-level.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/synchronization-mutex-tmpl-level.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`work-avoidance.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/work-avoidance.yaml) - [`event-consumer-workfloweventbinding.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/workflow-event-binding/event-consumer-workfloweventbinding.yaml) @@ -3043,6 +3053,8 @@ ScriptTemplate is a template subtype to enable scripting through code steps - [`scripts-python.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/scripts-python.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`withsequence-nested-result.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/withsequence-nested-result.yaml) - [`work-avoidance.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/work-avoidance.yaml) @@ -3837,6 +3849,8 @@ MetricLabel is a single label for a prometheus metric - [`steps-inline-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/steps-inline-workflow.yaml) - [`title-and-description-with-markdown.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/title-and-description-with-markdown.yaml) + +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) ### Fields @@ -4095,6 +4109,8 @@ DataSource sources external data into a data template - [`scripts-python.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/scripts-python.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`withsequence-nested-result.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/withsequence-nested-result.yaml) - [`work-avoidance.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/work-avoidance.yaml) @@ -5025,6 +5041,8 @@ ObjectMeta is metadata that all persisted resources must have, which includes al - [`title-and-description-with-markdown.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/title-and-description-with-markdown.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`volumes-emptydir.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-emptydir.yaml) - [`volumes-existing.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-existing.yaml) @@ -5623,6 +5641,8 @@ A single application container that you want to run within a pod. - [`title-and-description-with-markdown.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/title-and-description-with-markdown.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`volumes-emptydir.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-emptydir.yaml) - [`volumes-existing.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-existing.yaml) @@ -6619,6 +6639,8 @@ ImageVolumeSource represents a image volume resource. - [`title-and-description-with-markdown.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/title-and-description-with-markdown.yaml) +- [`rejected-workflow.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/validating-admission-policies/rejected-workflow.yaml) + - [`volumes-emptydir.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-emptydir.yaml) - [`volumes-existing.yaml`](https://github.com/argoproj/argo-workflows/blob/main/examples/volumes-existing.yaml) diff --git a/examples/validating-admission-policies/argo-dangerous-interpolation-vap-binding.yaml b/examples/validating-admission-policies/argo-dangerous-interpolation-vap-binding.yaml new file mode 100644 index 000000000000..6a83a4ba1c55 --- /dev/null +++ b/examples/validating-admission-policies/argo-dangerous-interpolation-vap-binding.yaml @@ -0,0 +1,15 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "argo-dangerous-interpolation-vap-binding" +spec: + policyName: "argo-dangerous-interpolation-vap" + # Reject workflows that match the VAP. + # You could also set this to "Audit" to instead generate an audit event on a + # match, which can be used to identify workflows that need to be fixed. + validationActions: [Deny] + matchResources: + objectSelector: + matchLabels: + # Only match workflows with the "workflows.argoproj.io/vap" label. + workflows.argoproj.io/vap: "true" \ No newline at end of file diff --git a/examples/argo-dangerous-interpolation-vap.yaml b/examples/validating-admission-policies/argo-dangerous-interpolation-vap.yaml similarity index 96% rename from examples/argo-dangerous-interpolation-vap.yaml rename to examples/validating-admission-policies/argo-dangerous-interpolation-vap.yaml index caf2b6ba2c42..8c5e3133e16c 100644 --- a/examples/argo-dangerous-interpolation-vap.yaml +++ b/examples/validating-admission-policies/argo-dangerous-interpolation-vap.yaml @@ -6,7 +6,6 @@ # injection vulnerabilities (https://owasp.org/www-community/attacks/Command_Injection). # # This policy will only work when using the full CRDs (https://argo-workflows.readthedocs.io/en/latest/installation/#full-crds). -# You must create a ValidatingAdmissionPolicyBinding to use it. apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: diff --git a/examples/validating-admission-policies/rejected-workflow.yaml b/examples/validating-admission-policies/rejected-workflow.yaml new file mode 100644 index 000000000000..4ec0e6693671 --- /dev/null +++ b/examples/validating-admission-policies/rejected-workflow.yaml @@ -0,0 +1,31 @@ +# This workflow contains a "container" template and "script" template that both +# match the validating admission policy at +# examples/validating-admission-policies/argo-dangerous-interpolation-vap.yaml. +# +# Attempting to submit it should give you the following: +# $ kubectl create -f examples/validating-admission-policies/rejected-workflow.yaml +# The workflows "rejected-workflow-fvj4h" is invalid: : ValidatingAdmissionPolicy 'argo-dangerous-interpolation-vap' with binding 'argo-dangerous-interpolation-vap-binding' denied request: Dangerous interpolation detected +apiVersion: argoproj.io/v1alpha1 +kind: Workflow +metadata: + generateName: rejected-workflow- + labels: + workflows.argoproj.io/vap: "true" +spec: + entrypoint: container-with-interpolation + arguments: + parameters: + - name: message + value: test + templates: + - name: container-with-interpolation + container: + image: argoproj/argosay:v2 + args: + - echo + - "{{workflow.parameters.message}}" + - name: script-with-interpolation + script: + image: argoproj/argosay:v2 + command: [sh, -c] + source: "{{workflow.parameters.message}}" \ No newline at end of file diff --git a/examples/validation_test.go b/examples/validation_test.go index 8fb209e51826..14f28e7ebb82 100644 --- a/examples/validation_test.go +++ b/examples/validation_test.go @@ -7,7 +7,7 @@ import ( ) func TestValidateExamples(t *testing.T) { - failures, err := ValidateArgoYamlRecursively(".", []string{"testvolume.yaml", "simple-parameters-configmap.yaml", "memoize-simple.yaml", "argo-dangerous-interpolation-vap.yaml"}) + failures, err := ValidateArgoYamlRecursively(".", []string{"testvolume.yaml", "simple-parameters-configmap.yaml", "memoize-simple.yaml"}) if err != nil { t.Errorf("There was an error: %s", err) } diff --git a/test/e2e/executor_plugins_test.go b/test/e2e/executor_plugins_test.go index 7889e7952f1b..2ac7c052b2c2 100644 --- a/test/e2e/executor_plugins_test.go +++ b/test/e2e/executor_plugins_test.go @@ -84,18 +84,6 @@ func (s *ExecutorPluginsSuite) TestTemplateExecutor() { }) } -func (s *ExecutorPluginsSuite) TestWorkflowRejectedByValidatingAdmissionPolicy() { - s.Run("Rejects workflow with interpolation in script template", func() { - s.Given(). - Exec("kubectl", []string{"apply", "-f", "testdata/vap/dangerous-interpolation-script.yaml"}, fixtures.ErrorOutput("denied request: Dangerous interpolation detected")) - }) - - s.Run("Rejects workflow with interpolation in container template", func() { - s.Given(). - Exec("kubectl", []string{"apply", "-f", "testdata/vap/dangerous-interpolation-container.yaml"}, fixtures.ErrorOutput("denied request: Dangerous interpolation detected")) - }) -} - func TestExecutorPluginsSuite(t *testing.T) { suite.Run(t, new(ExecutorPluginsSuite)) } diff --git a/test/e2e/manifests/plugins/argo-dangerous-interpolation-vap-binding.yaml b/test/e2e/manifests/plugins/argo-dangerous-interpolation-vap-binding.yaml deleted file mode 100644 index 2feb00f4a58b..000000000000 --- a/test/e2e/manifests/plugins/argo-dangerous-interpolation-vap-binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "argo-dangerous-interpolation-vap-binding" - namespace: argo -spec: - policyName: "argo-dangerous-interpolation-vap" - validationActions: [Deny] - matchResources: - objectSelector: - matchLabels: - workflows.argoproj.io/test: dangerous-interpolation \ No newline at end of file diff --git a/test/e2e/manifests/plugins/kustomization.yaml b/test/e2e/manifests/plugins/kustomization.yaml index a62a1c516afc..e218c7bb095b 100644 --- a/test/e2e/manifests/plugins/kustomization.yaml +++ b/test/e2e/manifests/plugins/kustomization.yaml @@ -6,7 +6,5 @@ resources: - hello-executor-plugin-serviceaccount.yaml - hello-executor-plugin.service-account-token-secret.yaml - hello-executor-plugin-configmap.yaml - - ../../../../examples/argo-dangerous-interpolation-vap.yaml - - argo-dangerous-interpolation-vap-binding.yaml namespace: argo diff --git a/test/e2e/testdata/vap/dangerous-interpolation-container.yaml b/test/e2e/testdata/vap/dangerous-interpolation-container.yaml deleted file mode 100644 index 9f8e368b9e79..000000000000 --- a/test/e2e/testdata/vap/dangerous-interpolation-container.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Workflow -metadata: - name: container-interpolation - labels: - workflows.argoproj.io/test: dangerous-interpolation -spec: - entrypoint: main - arguments: - parameters: - - name: message - templates: - - name: main - container: - image: argoproj/argosay:v2 - args: - - echo - - "{{workflow.parameters.message}}" \ No newline at end of file diff --git a/test/e2e/testdata/vap/dangerous-interpolation-script.yaml b/test/e2e/testdata/vap/dangerous-interpolation-script.yaml deleted file mode 100644 index ad13d5b37735..000000000000 --- a/test/e2e/testdata/vap/dangerous-interpolation-script.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Workflow -metadata: - name: script-interpolation - labels: - workflows.argoproj.io/test: dangerous-interpolation -spec: - entrypoint: main - arguments: - parameters: - - name: message - templates: - - name: main - script: - image: argoproj/argosay:v2 - command: [sh, -c] - source: "HELLO {{workflow.parameters.message}}" \ No newline at end of file