From bb337baf3202d0fb8aadd6c2a0d27d168a54e3ba Mon Sep 17 00:00:00 2001 From: Dolis Sharma Date: Wed, 10 Jul 2024 16:19:53 -0300 Subject: [PATCH 01/12] adding protect-node-label policy Signed-off-by: Dolis Sharma --- .../chainsaw-step-04-apply-1.yaml | 12 ++ .../chainsaw-step-04-apply-2.yaml | 12 ++ .../.chainsaw-test/chainsaw-test.yaml | 104 ++++++++++++++++++ .../.chainsaw-test/policy-ready.yaml | 9 ++ other/protect-node-label/artifacthub-pkg.yml | 16 +++ .../protect-nodel-label.yaml | 51 +++++++++ 6 files changed, 204 insertions(+) create mode 100755 other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-1.yaml create mode 100755 other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-2.yaml create mode 100755 other/protect-node-label/.chainsaw-test/chainsaw-test.yaml create mode 100644 other/protect-node-label/.chainsaw-test/policy-ready.yaml create mode 100644 other/protect-node-label/artifacthub-pkg.yml create mode 100644 other/protect-node-label/protect-nodel-label.yaml diff --git a/other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-1.yaml b/other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-1.yaml new file mode 100755 index 000000000..adbdfcb18 --- /dev/null +++ b/other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-1.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-label +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - patch diff --git a/other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-2.yaml b/other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-2.yaml new file mode 100755 index 000000000..eb82065c1 --- /dev/null +++ b/other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-2.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-label:nodelabeluser +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-label +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: nodelabeluser diff --git a/other/protect-node-label/.chainsaw-test/chainsaw-test.yaml b/other/protect-node-label/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..a35d28ccd --- /dev/null +++ b/other/protect-node-label/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,104 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: protect-node-label +spec: + steps: + - name: step-01 + try: + - script: + content: | + kubectl get configmap kyverno -n kyverno -o yaml | sed 's/\[Node\/\*,\*,\*\]//g' - | sed 's/\[Node,\*,\*\]//g' - | kubectl apply -f - + node=$(kubectl get nodes --no-headers | awk '{print $1}' | head -n 1) + kubectl label node "$node" foo=bar + - sleep: + duration: 5s + - name: step-02 + try: + - apply: + file: ../protect-node-label.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - script: + content: | + #!/bin/bash + set -eu + export USERNAME=nodelabeluser + export CA=ca.crt + #### Get CA certificate from kubeconfig assuming it's the first in the list. + kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ./ca.crt + #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. + CLUSTER_SERVER="$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')" + #### Set CLUSTER from kubeconfig assuming it's the first in the list. + CLUSTER="$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')" + #### Generate private key + openssl genrsa -out $USERNAME.key 2048 + #### Create CSR + openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=testorg/CN=$USERNAME" + #### Send CSR to kube-apiserver for approval + cat < $USERNAME.crt + #### + #### Create the credential object and output the new kubeconfig file + kubectl config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs + #### Set the context + kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER + # Delete CSR + kubectl delete csr $USERNAME + - name: step-04 + try: + - apply: + file: chainsaw-step-04-apply-1.yaml + - apply: + file: chainsaw-step-04-apply-2.yaml + - name: step-05 + try: + - script: + content: | + #!/bin/bash + node=$(kubectl get nodes --no-headers | awk '{print $1}' | head -n 1) + if kubectl --context nodelabeluser-context label node "$node" foo=bar; then + echo "Failed: Success altering node label by nodelabeluser"; + exit 1; + else + echo "Success: Failed to alter node label by nodelabeluser"; + exit 0; + fi; + - script: + content: | + #!/bin/bash + node=$(kubectl get nodes --no-headers | awk '{print $1}' | head -n 1) + if kubectl label node "$node" foo=bar; then + echo "Success altering node label by cluster-admin"; + exit 0; + else + echo "Failed to alter node label by cluster-admin"; + exit 1; + fi; + - name: step-06 + try: + - script: + content: | + kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' - | kubectl apply -f - + node=$(kubectl get nodes --no-headers | awk '{print $1}' | head -n 1) + kubectl label nodes "$node" foo=bar + kubectl label nodes "$node" foo=bar + kubectl config unset users.nodelabeluser + kubectl config unset contexts.nodelabeluser-context diff --git a/other/protect-node-label/.chainsaw-test/policy-ready.yaml b/other/protect-node-label/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..6dc650ee3 --- /dev/null +++ b/other/protect-node-label/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: protect-node-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/other/protect-node-label/artifacthub-pkg.yml b/other/protect-node-label/artifacthub-pkg.yml new file mode 100644 index 000000000..ffc1dc11f --- /dev/null +++ b/other/protect-node-label/artifacthub-pkg.yml @@ -0,0 +1,16 @@ +name: protect-node-taints +version: 1.0.0 +displayName: Protect Node Label +description: >- + Node labels are critical pieces of metadata upon which many other applications and logic may depend and should not be altered or removed by regular users. This policy prevents changes or deletions to a label called `foo` on cluster Nodes +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/protect-node-label/protect-node-label.yaml + ``` +keywords: + - kyverno + - Other + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/subject: "Node" diff --git a/other/protect-node-label/protect-nodel-label.yaml b/other/protect-node-label/protect-nodel-label.yaml new file mode 100644 index 000000000..f7f6ddcba --- /dev/null +++ b/other/protect-node-label/protect-nodel-label.yaml @@ -0,0 +1,51 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/description: 'Node labels are critical pieces of metadata + upon which many other applications and logic may depend and should not be + altered or removed by regular users. This policy prevents changes or deletions + to a label called `foo` on cluster Nodes. + policies.kyverno.io/subject: Node, Label + policies.kyverno.io/title: Restrict node label changes + generation: 1 + name: protect-node-label-foo +spec: + background: false + rules: + - match: + resources: + kinds: + - Node + name: prevent-label-value-changes + validate: + deny: + conditions: + all: + - key: '{{ request.object.metadata.labels.foo || '''' }}' + operator: NotEquals + value: "" + - key: '{{ request.object.metadata.labels.foo || '''' }}' + operator: NotEquals + value: '{{ request.oldObject.metadata.labels.foo || '''' }}' + message: Modifying the `foo` label on a Node is not allowed. + - match: + resources: + kinds: + - Node + name: prevent-label-key-removal + preconditions: + all: + - key: '{{ request.operation }}' + operator: Equals + value: UPDATE + - key: '{{ request.oldObject.metadata.labels.foo || '''' }}' + operator: Equals + value: ?* + validate: + message: Removing the `foo` label on a Node is not allowed. + pattern: + metadata: + labels: + foo: '*' + validationFailureAction: audit From 489e548d68af995a90d193d80d743958c47a02bc Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:14:02 -0300 Subject: [PATCH 02/12] Update require-ro-rootfs.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../require-ro-rootfs/require-ro-rootfs.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/best-practices/require-ro-rootfs/require-ro-rootfs.yaml b/best-practices/require-ro-rootfs/require-ro-rootfs.yaml index 4ababccd8..b5b817ae6 100644 --- a/best-practices/require-ro-rootfs/require-ro-rootfs.yaml +++ b/best-practices/require-ro-rootfs/require-ro-rootfs.yaml @@ -26,8 +26,8 @@ spec: - Pod validate: message: "Root filesystem must be read-only." - pattern: - spec: - containers: - - securityContext: - readOnlyRootFilesystem: true \ No newline at end of file + foreach: + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] + pattern: + securityContext: + readOnlyRootFilesystem: true From 28119dcd1c9e39d157faba10458781ef9520dbc3 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:14:49 -0300 Subject: [PATCH 03/12] Update bad-pod-false.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml index 0c76d4e3f..dca3b85a3 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml @@ -7,4 +7,9 @@ spec: - name: busybox image: ghcr.io/kyverno/test-busybox:1.35 securityContext: - readOnlyRootFilesystem: false \ No newline at end of file + readOnlyRootFilesystem: false + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: false From 2cfdd803ffc3b389407b7421848c2a055758a909 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:15:57 -0300 Subject: [PATCH 04/12] Update bad-pod-notall.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-pod-notall.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml index eef1dbb8e..4ecdfdb24 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml @@ -10,6 +10,13 @@ spec: image: ghcr.io/kyverno/test-busybox:1.35 securityContext: readOnlyRootFilesystem: true + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox-again-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true --- apiVersion: v1 kind: Pod @@ -22,4 +29,11 @@ spec: securityContext: readOnlyRootFilesystem: true - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: ghcr.io/kyverno/test-busybox:1.35 + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true + - name: busybox-again-init + image: ghcr.io/kyverno/test-busybox:1.35 From de08e8d9d7e406f360df4d53f65f1c4fbee06946 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:16:32 -0300 Subject: [PATCH 05/12] Update bad-pod-nothing.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml index 8373d44b6..50bcc5a97 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml @@ -5,4 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: ghcr.io/kyverno/test-busybox:1.35 + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 From 147e07f8f5ef55bdd6269c3c4a55e9d2bf780e15 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:18:26 -0300 Subject: [PATCH 06/12] Update bad-podcontrollers.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-podcontrollers.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml index 4f6b3cbcc..9fb2d17e5 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml @@ -19,6 +19,12 @@ spec: image: ghcr.io/kyverno/test-busybox:1.35 securityContext: readOnlyRootFilesystem: true + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true + --- apiVersion: batch/v1 kind: CronJob @@ -37,4 +43,10 @@ spec: - name: busybox-again image: ghcr.io/kyverno/test-busybox:1.35 securityContext: - readOnlyRootFilesystem: true \ No newline at end of file + readOnlyRootFilesystem: true + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox-again-init + securityContext: + readOnlyRootFilesystem: true From c5fd4aa42c793a1b14ede3c3bf5d206fcb6bbfde Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:28:55 -0300 Subject: [PATCH 07/12] Update good-podcontrollers.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/good-podcontrollers.yaml | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml index 9568d71ec..eb4f7b2dc 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml @@ -21,6 +21,15 @@ spec: image: ghcr.io/kyverno/test-busybox:1.35 securityContext: readOnlyRootFilesystem: true + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true + - name: busybox-again-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true --- apiVersion: batch/v1 kind: CronJob @@ -41,4 +50,13 @@ spec: - name: busybox-again image: ghcr.io/kyverno/test-busybox:1.35 securityContext: - readOnlyRootFilesystem: true \ No newline at end of file + readOnlyRootFilesystem: true + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true + - name: busybox-again-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true From 0741130ac9baff25fa87a77b6964eac8cb17e2e0 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:31:02 -0300 Subject: [PATCH 08/12] Update good-pods.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/good-pods.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml index 2e472fd4c..472cb5c28 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml @@ -8,6 +8,11 @@ spec: image: ghcr.io/kyverno/test-busybox:1.35 securityContext: readOnlyRootFilesystem: true + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true --- apiVersion: v1 kind: Pod @@ -23,3 +28,12 @@ spec: image: ghcr.io/kyverno/test-busybox:1.35 securityContext: readOnlyRootFilesystem: true + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true + - name: busybox-again-init + image: ghcr.io/kyverno/test-busybox:1.35 + securityContext: + readOnlyRootFilesystem: true From d19a6192e161bb2297a833872d32b95a7ac3d29f Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:33:11 -0300 Subject: [PATCH 09/12] Update resource.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.kyverno-test/resource.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/best-practices/require-ro-rootfs/.kyverno-test/resource.yaml b/best-practices/require-ro-rootfs/.kyverno-test/resource.yaml index 2114a2351..0d048108e 100644 --- a/best-practices/require-ro-rootfs/.kyverno-test/resource.yaml +++ b/best-practices/require-ro-rootfs/.kyverno-test/resource.yaml @@ -8,6 +8,11 @@ spec: image: ghost securityContext: readOnlyRootFilesystem: false + initContainers: + - name: ghost-init + image: ghost + securityContext: + readOnlyRootFilesystem: false --- apiVersion: v1 kind: Pod @@ -17,6 +22,9 @@ spec: containers: - name: ghost image: ghost + initContainers: + - name: ghost-init + image: ghost --- apiVersion: v1 kind: Pod @@ -30,6 +38,13 @@ spec: image: busybox securityContext: readOnlyRootFilesystem: true + initContainers: + - name: ghost-init + image: ghost + - name: busybox-init + image: busybox + securityContext: + readOnlyRootFilesystem: true --- apiVersion: v1 kind: Pod @@ -41,6 +56,11 @@ spec: image: ghost securityContext: readOnlyRootFilesystem: true + initContainers: + - name: ghost-init + image: ghost + securityContext: + readOnlyRootFilesystem: true --- apiVersion: v1 kind: Pod @@ -56,3 +76,8 @@ spec: image: nginx securityContext: readOnlyRootFilesystem: true + initContainers: + - name: nginx-init + image: nginx + securityContext: + readOnlyRootFilesystem: true From 474409fc7b69e11f106476fc9628ca24423615d8 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:43:08 -0300 Subject: [PATCH 10/12] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- best-practices/require-ro-rootfs/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices/require-ro-rootfs/artifacthub-pkg.yml b/best-practices/require-ro-rootfs/artifacthub-pkg.yml index 753894818..5d225b3ce 100644 --- a/best-practices/require-ro-rootfs/artifacthub-pkg.yml +++ b/best-practices/require-ro-rootfs/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: 27b193124b332e64884209f20617f5b5d2c3fc41b9a33265e971ec807b14ae14 +digest: 24d5afeb7aa3358587dc8cda35176b233971fa4a7be7d0db895a484799c80baf From 3ae46970a6f8f2c5bd80bb32bca4318a35df4307 Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:49:11 -0300 Subject: [PATCH 11/12] Delete other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-1.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/chainsaw-step-04-apply-1.yaml | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100755 other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-1.yaml diff --git a/other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-1.yaml b/other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-1.yaml deleted file mode 100755 index adbdfcb18..000000000 --- a/other/protect-node-label/.chainsaw-test/chainsaw-step-04-apply-1.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: node-label -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - patch From 957018ae640597f1d67938702e97ea7dc3fa508b Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Fri, 30 Aug 2024 16:53:47 -0300 Subject: [PATCH 12/12] Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>