kyverno/test/conformance/tests.yaml

should-fail:
  - description: Policy with backgound enabled and referencing user infos should be rejected
    kubectl:
      args:
        - create
        - -f 
        - test/conformance/manifests/should-fail/background-userinfo-1.yaml
      expect:
        exitcode: 1
        stderr: >-
          Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-1.yaml":
          admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
          Set spec.background=false to disable background mode for this policy rule: variable "{{request.roles}} is not allowed 
  - description: Policy with backgound enabled and referencing user infos should be rejected
    kubectl:
      args:
        - create
        - -f 
        - test/conformance/manifests/should-fail/background-userinfo-2.yaml
      expect:
        exitcode: 1
        stderr: >-
          Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-2.yaml":
          admission webhook "validate-policy.kyverno.svc" denied the request:
          only select variables are allowed in background mode.
          Set spec.background=false to disable background mode for this policy rule:
          invalid variable used at path: spec/rules[0]/match/clusterRoles
  - description: Policy with backgound enabled and referencing user infos should be rejected
    kubectl:
      args:
        - create
        - -f 
        - test/conformance/manifests/should-fail/background-userinfo-3.yaml
      expect:
        exitcode: 1
        stderr: >-
          Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-3.yaml":
          admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
          Set spec.background=false to disable background mode for this policy rule: variable "{{request.userInfo}} is not allowed 
  - description: Policy with backgound enabled and referencing user infos should be rejected
    kubectl:
      args:
        - create
        - -f 
        - test/conformance/manifests/should-fail/background-userinfo-4.yaml
      expect:
        exitcode: 1
        stderr: >-
          Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-4.yaml":
          admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
          Set spec.background=false to disable background mode for this policy rule: variable "{{serviceAccountName}} is not allowed 
  - description: Best practice policies should create fine
    kubectl:
      args:
        - create
        - -f 
        - test/best_practices
      expect:
        exitcode: 0
        stdout: |-
          clusterpolicy.kyverno.io/add-networkpolicy created
          clusterpolicy.kyverno.io/add-ns-quota created
          clusterpolicy.kyverno.io/add-safe-to-evict created
          clusterpolicy.kyverno.io/disallow-bind-mounts created
          clusterpolicy.kyverno.io/disallow-host-network-port created
          clusterpolicy.kyverno.io/disallow-host-pid-ipc created
          clusterpolicy.kyverno.io/disallow-latest-tag created
          clusterpolicy.kyverno.io/disallow-privileged created
          clusterpolicy.kyverno.io/disallow-sysctls created
          clusterpolicy.kyverno.io/require-certain-labels created
          clusterpolicy.kyverno.io/require-labels created
          clusterpolicy.kyverno.io/require-pod-requests-limits created
          clusterpolicy.kyverno.io/select-secrets created
  - description: Best practice policies should become ready
    kubectl:
      args:
        - wait
        - --for
        - condition=ready
        - cpol
        - --all
        - --timeout
        - 90s
      expect:
        exitcode: 0
        stdout: |-
          clusterpolicy.kyverno.io/add-networkpolicy condition met
          clusterpolicy.kyverno.io/add-ns-quota condition met
          clusterpolicy.kyverno.io/add-safe-to-evict condition met
          clusterpolicy.kyverno.io/disallow-bind-mounts condition met
          clusterpolicy.kyverno.io/disallow-host-network-port condition met
          clusterpolicy.kyverno.io/disallow-host-pid-ipc condition met
          clusterpolicy.kyverno.io/disallow-latest-tag condition met
          clusterpolicy.kyverno.io/disallow-privileged condition met
          clusterpolicy.kyverno.io/disallow-sysctls condition met
          clusterpolicy.kyverno.io/require-certain-labels condition met
          clusterpolicy.kyverno.io/require-labels condition met
          clusterpolicy.kyverno.io/require-pod-requests-limits condition met
          clusterpolicy.kyverno.io/select-secrets condition met
feat: add simple conformance tests (#5073) * feat: add simple conformance tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-10-20 14:17:33 +02:00			`should-fail:`
			`- description: Policy with backgound enabled and referencing user infos should be rejected`
			`kubectl:`
			`args:`
			`- create`
			`- -f`
			`- test/conformance/manifests/should-fail/background-userinfo-1.yaml`
			`expect:`
			`exitcode: 1`
			`stderr: >-`
			`Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-1.yaml":`
			`admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.`
			`Set spec.background=false to disable background mode for this policy rule: variable "{{request.roles}} is not allowed`
			`- description: Policy with backgound enabled and referencing user infos should be rejected`
			`kubectl:`
			`args:`
			`- create`
			`- -f`
			`- test/conformance/manifests/should-fail/background-userinfo-2.yaml`
			`expect:`
			`exitcode: 1`
			`stderr: >-`
			`Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-2.yaml":`
			`admission webhook "validate-policy.kyverno.svc" denied the request:`
			`only select variables are allowed in background mode.`
			`Set spec.background=false to disable background mode for this policy rule:`
			`invalid variable used at path: spec/rules[0]/match/clusterRoles`
			`- description: Policy with backgound enabled and referencing user infos should be rejected`
			`kubectl:`
			`args:`
			`- create`
			`- -f`
			`- test/conformance/manifests/should-fail/background-userinfo-3.yaml`
			`expect:`
			`exitcode: 1`
			`stderr: >-`
			`Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-3.yaml":`
			`admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.`
			`Set spec.background=false to disable background mode for this policy rule: variable "{{request.userInfo}} is not allowed`
			`- description: Policy with backgound enabled and referencing user infos should be rejected`
			`kubectl:`
			`args:`
			`- create`
			`- -f`
			`- test/conformance/manifests/should-fail/background-userinfo-4.yaml`
			`expect:`
			`exitcode: 1`
			`stderr: >-`
			`Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-4.yaml":`
			`admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.`
			`Set spec.background=false to disable background mode for this policy rule: variable "{{serviceAccountName}} is not allowed`
test: add best practices policies in conformance tests (#5082) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-10-20 18:05:11 +02:00			`- description: Best practice policies should create fine`
			`kubectl:`
			`args:`
			`- create`
			`- -f`
			`- test/best_practices`
			`expect:`
			`exitcode: 0`
			`stdout: \|-`
			`clusterpolicy.kyverno.io/add-networkpolicy created`
			`clusterpolicy.kyverno.io/add-ns-quota created`
			`clusterpolicy.kyverno.io/add-safe-to-evict created`
			`clusterpolicy.kyverno.io/disallow-bind-mounts created`
			`clusterpolicy.kyverno.io/disallow-host-network-port created`
			`clusterpolicy.kyverno.io/disallow-host-pid-ipc created`
			`clusterpolicy.kyverno.io/disallow-latest-tag created`
			`clusterpolicy.kyverno.io/disallow-privileged created`
			`clusterpolicy.kyverno.io/disallow-sysctls created`
			`clusterpolicy.kyverno.io/require-certain-labels created`
			`clusterpolicy.kyverno.io/require-labels created`
			`clusterpolicy.kyverno.io/require-pod-requests-limits created`
			`clusterpolicy.kyverno.io/select-secrets created`
			`- description: Best practice policies should become ready`
			`kubectl:`
			`args:`
			`- wait`
			`- --for`
			`- condition=ready`
			`- cpol`
			`- --all`
			`- --timeout`
			`- 90s`
			`expect:`
			`exitcode: 0`
			`stdout: \|-`
			`clusterpolicy.kyverno.io/add-networkpolicy condition met`
			`clusterpolicy.kyverno.io/add-ns-quota condition met`
			`clusterpolicy.kyverno.io/add-safe-to-evict condition met`
			`clusterpolicy.kyverno.io/disallow-bind-mounts condition met`
			`clusterpolicy.kyverno.io/disallow-host-network-port condition met`
			`clusterpolicy.kyverno.io/disallow-host-pid-ipc condition met`
			`clusterpolicy.kyverno.io/disallow-latest-tag condition met`
			`clusterpolicy.kyverno.io/disallow-privileged condition met`
			`clusterpolicy.kyverno.io/disallow-sysctls condition met`
			`clusterpolicy.kyverno.io/require-certain-labels condition met`
			`clusterpolicy.kyverno.io/require-labels condition met`
			`clusterpolicy.kyverno.io/require-pod-requests-limits condition met`
			`clusterpolicy.kyverno.io/select-secrets condition met`