2020-08-06 10:46:10 +05:30
|
|
|
package generate
|
|
|
|
|
|
2022-06-03 21:08:27 +02:00
|
|
|
import (
|
|
|
|
|
"github.com/kyverno/kyverno/test/e2e"
|
2022-06-07 17:35:44 +02:00
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
2022-06-03 21:08:27 +02:00
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
2022-06-07 17:35:44 +02:00
|
|
|
|
|
|
|
|
. "github.com/onsi/gomega"
|
2022-06-03 21:08:27 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
// Cluster Policy GVR
|
|
|
|
|
clPolGVR = e2e.GetGVR("kyverno.io", "v1", "clusterpolicies")
|
|
|
|
|
|
|
|
|
|
// Namespace GVR
|
|
|
|
|
nsGVR = e2e.GetGVR("", "v1", "namespaces")
|
|
|
|
|
|
|
|
|
|
// ClusterRole GVR
|
|
|
|
|
crGVR = e2e.GetGVR("rbac.authorization.k8s.io", "v1", "clusterroles")
|
|
|
|
|
|
|
|
|
|
// ClusterRoleBinding GVR
|
|
|
|
|
crbGVR = e2e.GetGVR("rbac.authorization.k8s.io", "v1", "clusterrolebindings")
|
|
|
|
|
|
|
|
|
|
// Role GVR
|
|
|
|
|
rGVR = e2e.GetGVR("rbac.authorization.k8s.io", "v1", "roles")
|
|
|
|
|
|
|
|
|
|
// RoleBinding GVR
|
|
|
|
|
rbGVR = e2e.GetGVR("rbac.authorization.k8s.io", "v1", "rolebindings")
|
|
|
|
|
|
|
|
|
|
// ConfigMap GVR
|
|
|
|
|
cmGVR = e2e.GetGVR("", "v1", "configmaps")
|
|
|
|
|
|
|
|
|
|
// NetworkPolicy GVR
|
|
|
|
|
npGVR = e2e.GetGVR("networking.k8s.io", "v1", "networkpolicies")
|
|
|
|
|
|
|
|
|
|
// ClusterPolicy Namespace
|
|
|
|
|
clPolNS = ""
|
|
|
|
|
|
|
|
|
|
// NetworkPolicy Namespace
|
|
|
|
|
npPolNS = ""
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type resource struct {
|
|
|
|
|
gvr schema.GroupVersionResource
|
|
|
|
|
ns string
|
|
|
|
|
raw []byte
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func clusteredResource(gvr schema.GroupVersionResource, raw []byte) resource {
|
|
|
|
|
return resource{gvr, "", raw}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func namespacedResource(gvr schema.GroupVersionResource, ns string, raw []byte) resource {
|
|
|
|
|
return resource{gvr, ns, raw}
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-07 17:35:44 +02:00
|
|
|
type existingResource struct {
|
2022-06-03 21:08:27 +02:00
|
|
|
gvr schema.GroupVersionResource
|
|
|
|
|
ns string
|
|
|
|
|
name string
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-07 17:35:44 +02:00
|
|
|
func existing(gvr schema.GroupVersionResource, ns string, name string) existingResource {
|
|
|
|
|
return existingResource{gvr, ns, name}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type expectedResource struct {
|
|
|
|
|
existingResource
|
|
|
|
|
validate []func(*unstructured.Unstructured)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func expected(gvr schema.GroupVersionResource, ns string, name string, validate ...func(*unstructured.Unstructured)) expectedResource {
|
|
|
|
|
return expectedResource{existing(gvr, ns, name), validate}
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-17 13:07:30 -08:00
|
|
|
// RoleTests is E2E Test Config for Role and RoleBinding
|
2020-08-06 10:46:10 +05:30
|
|
|
// TODO:- Clone for Role and RoleBinding
|
|
|
|
|
var RoleTests = []struct {
|
2022-05-17 08:19:03 +02:00
|
|
|
// TestName - Name of the Test
|
2020-08-06 10:46:10 +05:30
|
|
|
TestName string
|
2022-06-03 21:08:27 +02:00
|
|
|
// ClusterPolicy - ClusterPolicy yaml file
|
|
|
|
|
ClusterPolicy resource
|
|
|
|
|
// SourceResources - Source resources yaml files
|
|
|
|
|
SourceResources []resource
|
|
|
|
|
// TriggerResource - Trigger resource yaml files
|
|
|
|
|
TriggerResource resource
|
|
|
|
|
// ExpectedResources - Expected resources to pass the test
|
|
|
|
|
ExpectedResources []expectedResource
|
2020-08-06 10:46:10 +05:30
|
|
|
}{
|
|
|
|
|
{
|
2022-06-03 21:08:27 +02:00
|
|
|
TestName: "test-role-rolebinding-without-clone",
|
|
|
|
|
ClusterPolicy: clusteredResource(clPolGVR, roleRoleBindingYamlWithSync),
|
|
|
|
|
TriggerResource: clusteredResource(nsGVR, namespaceYaml),
|
|
|
|
|
ExpectedResources: []expectedResource{
|
2022-06-07 17:35:44 +02:00
|
|
|
expected(rGVR, "test", "ns-role"),
|
|
|
|
|
expected(rbGVR, "test", "ns-role-binding"),
|
2022-06-03 21:08:27 +02:00
|
|
|
},
|
2020-08-06 10:46:10 +05:30
|
|
|
},
|
|
|
|
|
{
|
2022-06-03 21:08:27 +02:00
|
|
|
TestName: "test-role-rolebinding-withsync-without-clone",
|
|
|
|
|
ClusterPolicy: clusteredResource(clPolGVR, roleRoleBindingYamlWithSync),
|
|
|
|
|
TriggerResource: clusteredResource(nsGVR, namespaceYaml),
|
|
|
|
|
ExpectedResources: []expectedResource{
|
2022-06-07 17:35:44 +02:00
|
|
|
expected(rGVR, "test", "ns-role"),
|
|
|
|
|
expected(rbGVR, "test", "ns-role-binding"),
|
2022-06-03 21:08:27 +02:00
|
|
|
},
|
2020-08-06 10:46:10 +05:30
|
|
|
},
|
|
|
|
|
{
|
2022-06-03 21:08:27 +02:00
|
|
|
TestName: "test-role-rolebinding-with-clone",
|
|
|
|
|
ClusterPolicy: clusteredResource(clPolGVR, roleRoleBindingYamlWithClone),
|
|
|
|
|
SourceResources: []resource{
|
|
|
|
|
namespacedResource(rGVR, "default", sourceRoleYaml),
|
|
|
|
|
namespacedResource(rbGVR, "default", sourceRoleBindingYaml),
|
|
|
|
|
},
|
|
|
|
|
TriggerResource: clusteredResource(nsGVR, namespaceYaml),
|
|
|
|
|
ExpectedResources: []expectedResource{
|
2022-06-07 17:35:44 +02:00
|
|
|
expected(rGVR, "test", "ns-role"),
|
|
|
|
|
expected(rbGVR, "test", "ns-role-binding"),
|
2022-06-03 21:08:27 +02:00
|
|
|
},
|
2020-08-06 10:46:10 +05:30
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-17 13:07:30 -08:00
|
|
|
// ClusterRoleTests - E2E Test Config for ClusterRole and ClusterRoleBinding
|
2020-08-06 10:46:10 +05:30
|
|
|
var ClusterRoleTests = []struct {
|
2022-05-17 08:19:03 +02:00
|
|
|
// TestName - Name of the Test
|
2020-08-06 10:46:10 +05:30
|
|
|
TestName string
|
2022-06-03 21:08:27 +02:00
|
|
|
// ClusterPolicy - ClusterPolicy yaml file
|
|
|
|
|
ClusterPolicy resource
|
|
|
|
|
// SourceResources - Source resources yaml files
|
|
|
|
|
SourceResources []resource
|
|
|
|
|
// TriggerResource - Trigger resource yaml files
|
|
|
|
|
TriggerResource resource
|
|
|
|
|
// ExpectedResources - Expected resources to pass the test
|
|
|
|
|
ExpectedResources []expectedResource
|
2020-08-06 10:46:10 +05:30
|
|
|
}{
|
|
|
|
|
{
|
2022-06-03 21:08:27 +02:00
|
|
|
TestName: "test-clusterrole-clusterrolebinding-without-clone",
|
|
|
|
|
ClusterPolicy: clusteredResource(clPolGVR, genClusterRoleYamlWithSync),
|
|
|
|
|
TriggerResource: clusteredResource(nsGVR, namespaceYaml),
|
|
|
|
|
ExpectedResources: []expectedResource{
|
2022-06-07 17:35:44 +02:00
|
|
|
expected(crGVR, "", "ns-cluster-role"),
|
|
|
|
|
expected(crbGVR, "", "ns-cluster-role-binding"),
|
2022-06-03 21:08:27 +02:00
|
|
|
},
|
2020-08-06 10:46:10 +05:30
|
|
|
},
|
|
|
|
|
{
|
2022-06-03 21:08:27 +02:00
|
|
|
TestName: "test-clusterrole-clusterrolebinding-with-sync-without-clone",
|
|
|
|
|
ClusterPolicy: clusteredResource(clPolGVR, genClusterRoleYamlWithSync),
|
|
|
|
|
TriggerResource: clusteredResource(nsGVR, namespaceYaml),
|
|
|
|
|
ExpectedResources: []expectedResource{
|
2022-06-07 17:35:44 +02:00
|
|
|
expected(crGVR, "", "ns-cluster-role"),
|
|
|
|
|
expected(crbGVR, "", "ns-cluster-role-binding"),
|
2022-06-03 21:08:27 +02:00
|
|
|
},
|
2020-08-06 10:46:10 +05:30
|
|
|
},
|
|
|
|
|
{
|
2022-06-03 21:08:27 +02:00
|
|
|
TestName: "test-clusterrole-clusterrolebinding-with-sync-with-clone",
|
|
|
|
|
ClusterPolicy: clusteredResource(clPolGVR, clusterRoleRoleBindingYamlWithClone),
|
|
|
|
|
SourceResources: []resource{
|
|
|
|
|
clusteredResource(crGVR, baseClusterRoleData),
|
|
|
|
|
clusteredResource(crbGVR, baseClusterRoleBindingData),
|
|
|
|
|
},
|
|
|
|
|
TriggerResource: clusteredResource(nsGVR, namespaceYaml),
|
|
|
|
|
ExpectedResources: []expectedResource{
|
2022-06-07 17:35:44 +02:00
|
|
|
expected(crGVR, "", "cloned-cluster-role"),
|
|
|
|
|
expected(crbGVR, "", "cloned-cluster-role-binding"),
|
2022-06-03 21:08:27 +02:00
|
|
|
},
|
2020-08-06 10:46:10 +05:30
|
|
|
},
|
|
|
|
|
}
|
2021-06-03 00:18:28 +05:30
|
|
|
|
|
|
|
|
// NetworkPolicyGenerateTests - E2E Test Config for NetworkPolicyGenerateTests
|
|
|
|
|
var NetworkPolicyGenerateTests = []struct {
|
2022-05-17 08:19:03 +02:00
|
|
|
// TestName - Name of the Test
|
2021-06-03 00:18:28 +05:30
|
|
|
TestName string
|
2022-06-03 21:08:27 +02:00
|
|
|
// ClusterPolicy - ClusterPolicy yaml file
|
|
|
|
|
ClusterPolicy resource
|
|
|
|
|
// SourceResources - Source resources yaml files
|
|
|
|
|
SourceResources []resource
|
|
|
|
|
// TriggerResource - Trigger resource yaml files
|
|
|
|
|
TriggerResource resource
|
|
|
|
|
// ExpectedResources - Expected resources to pass the test
|
|
|
|
|
ExpectedResources []expectedResource
|
2021-06-03 00:18:28 +05:30
|
|
|
}{
|
|
|
|
|
{
|
2022-06-03 21:08:27 +02:00
|
|
|
TestName: "test-generate-policy-for-namespace-with-label",
|
|
|
|
|
ClusterPolicy: clusteredResource(clPolGVR, genNetworkPolicyYaml),
|
|
|
|
|
TriggerResource: clusteredResource(nsGVR, namespaceWithLabelYaml),
|
|
|
|
|
ExpectedResources: []expectedResource{
|
2022-06-07 17:35:44 +02:00
|
|
|
expected(npGVR, "test", "allow-dns"),
|
2022-06-03 21:08:27 +02:00
|
|
|
},
|
2021-06-03 00:18:28 +05:30
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NetworkPolicyGenerateTests - E2E Test Config for NetworkPolicyGenerateTests
|
|
|
|
|
var GenerateNetworkPolicyOnNamespaceWithoutLabelTests = []struct {
|
2022-05-17 08:19:03 +02:00
|
|
|
// TestName - Name of the Test
|
2021-06-03 00:18:28 +05:30
|
|
|
TestName string
|
|
|
|
|
// NetworkPolicyName - Name of the NetworkPolicy to be Created
|
|
|
|
|
NetworkPolicyName string
|
|
|
|
|
// GeneratePolicyName - Name of the Policy to be Created/Updated
|
|
|
|
|
GeneratePolicyName string
|
|
|
|
|
// ResourceNamespace - Namespace for which Resources are Created
|
|
|
|
|
ResourceNamespace string
|
|
|
|
|
// Clone - Set Clone Value
|
|
|
|
|
Clone bool
|
|
|
|
|
// CloneClusterRoleName
|
|
|
|
|
ClonerClusterRoleName string
|
|
|
|
|
// CloneClusterRoleBindingName
|
|
|
|
|
ClonerClusterRoleBindingName string
|
|
|
|
|
// CloneSourceRoleData - Source ClusterRole Name from which ClusterRole is Cloned
|
|
|
|
|
CloneSourceClusterRoleData []byte
|
|
|
|
|
// CloneSourceRoleBindingData - Source ClusterRoleBinding Name from which ClusterRoleBinding is Cloned
|
|
|
|
|
CloneSourceClusterRoleBindingData []byte
|
|
|
|
|
// CloneNamespace - Namespace where Roles are Cloned
|
|
|
|
|
CloneNamespace string
|
|
|
|
|
// Sync - Set Synchronize
|
|
|
|
|
Sync bool
|
|
|
|
|
// Data - The Yaml file of the ClusterPolicy of the ClusterRole and ClusterRoleBinding - ([]byte{})
|
|
|
|
|
Data []byte
|
|
|
|
|
// Data - The Yaml file of the ClusterPolicy of the ClusterRole and ClusterRoleBinding - ([]byte{})
|
|
|
|
|
UpdateData []byte
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
TestName: "test-generate-policy-for-namespace-label-actions",
|
|
|
|
|
ResourceNamespace: "test",
|
|
|
|
|
NetworkPolicyName: "allow-dns",
|
|
|
|
|
GeneratePolicyName: "add-networkpolicy",
|
|
|
|
|
Clone: false,
|
|
|
|
|
Sync: true,
|
|
|
|
|
Data: genNetworkPolicyYaml,
|
|
|
|
|
UpdateData: updatGenNetworkPolicyYaml,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NetworkPolicyGenerateTests - E2E Test Config for NetworkPolicyGenerateTests
|
|
|
|
|
var GenerateSynchronizeFlagTests = []struct {
|
2022-05-17 08:19:03 +02:00
|
|
|
// TestName - Name of the Test
|
2021-06-03 00:18:28 +05:30
|
|
|
TestName string
|
|
|
|
|
// NetworkPolicyName - Name of the NetworkPolicy to be Created
|
|
|
|
|
NetworkPolicyName string
|
|
|
|
|
// GeneratePolicyName - Name of the Policy to be Created/Updated
|
|
|
|
|
GeneratePolicyName string
|
|
|
|
|
// ResourceNamespace - Namespace for which Resources are Created
|
|
|
|
|
ResourceNamespace string
|
|
|
|
|
// Clone - Set Clone Value
|
|
|
|
|
Clone bool
|
|
|
|
|
// CloneClusterRoleName
|
|
|
|
|
ClonerClusterRoleName string
|
|
|
|
|
// CloneClusterRoleBindingName
|
|
|
|
|
ClonerClusterRoleBindingName string
|
|
|
|
|
// CloneSourceRoleData - Source ClusterRole Name from which ClusterRole is Cloned
|
|
|
|
|
CloneSourceClusterRoleData []byte
|
|
|
|
|
// CloneSourceRoleBindingData - Source ClusterRoleBinding Name from which ClusterRoleBinding is Cloned
|
|
|
|
|
CloneSourceClusterRoleBindingData []byte
|
|
|
|
|
// CloneNamespace - Namespace where Roles are Cloned
|
|
|
|
|
CloneNamespace string
|
|
|
|
|
// Sync - Set Synchronize
|
|
|
|
|
Sync bool
|
|
|
|
|
// Data - The Yaml file of the ClusterPolicy of the ClusterRole and ClusterRoleBinding - ([]byte{})
|
|
|
|
|
Data []byte
|
|
|
|
|
// Data - The Yaml file of the ClusterPolicy of the ClusterRole and ClusterRoleBinding - ([]byte{})
|
|
|
|
|
UpdateData []byte
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
TestName: "test-generate-policy-for-namespace-with-label",
|
|
|
|
|
NetworkPolicyName: "allow-dns",
|
|
|
|
|
GeneratePolicyName: "add-networkpolicy",
|
|
|
|
|
ResourceNamespace: "test",
|
|
|
|
|
Clone: false,
|
|
|
|
|
Sync: true,
|
|
|
|
|
Data: genNetworkPolicyYaml,
|
|
|
|
|
UpdateData: updateSynchronizeInGeneratePolicyYaml,
|
|
|
|
|
},
|
|
|
|
|
}
|
2021-06-08 01:06:00 +05:30
|
|
|
|
|
|
|
|
// ClusterRoleTests - E2E Test Config for ClusterRole and ClusterRoleBinding
|
|
|
|
|
var SourceResourceUpdateReplicationTests = []struct {
|
2022-05-17 08:19:03 +02:00
|
|
|
// TestName - Name of the Test
|
2021-06-08 01:06:00 +05:30
|
|
|
TestName string
|
|
|
|
|
// ClusterRoleName - Name of the ClusterRole to be Created
|
|
|
|
|
ResourceNamespace string
|
|
|
|
|
// Clone - Set Clone Value
|
|
|
|
|
Clone bool
|
|
|
|
|
// CloneNamespace - Namespace where Roles are Cloned
|
|
|
|
|
CloneNamespace string
|
|
|
|
|
// Sync - Set Synchronize
|
|
|
|
|
Sync bool
|
|
|
|
|
// Data - The Yaml file of the ClusterPolicy - ([]byte{})
|
|
|
|
|
Data []byte
|
|
|
|
|
// ConfigMapName - name of configMap
|
|
|
|
|
ConfigMapName string
|
|
|
|
|
// CloneSourceConfigMapData - Source ConfigMap Yaml
|
|
|
|
|
CloneSourceConfigMapData []byte
|
2021-06-21 20:12:14 +05:30
|
|
|
// PolicyName - Name of the Policy
|
|
|
|
|
PolicyName string
|
2021-06-08 01:06:00 +05:30
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
TestName: "test-clone-source-resource-update-replication",
|
|
|
|
|
ResourceNamespace: "test",
|
|
|
|
|
Clone: true,
|
|
|
|
|
Sync: true,
|
|
|
|
|
Data: genCloneConfigMapPolicyYaml,
|
|
|
|
|
ConfigMapName: "game-demo",
|
|
|
|
|
CloneNamespace: "default",
|
|
|
|
|
CloneSourceConfigMapData: cloneSourceResource,
|
2021-06-21 20:12:14 +05:30
|
|
|
PolicyName: "generate-policy",
|
2021-06-08 01:06:00 +05:30
|
|
|
},
|
|
|
|
|
}
|
2021-07-01 10:09:43 +05:30
|
|
|
|
|
|
|
|
var GeneratePolicyDeletionforCloneTests = []struct {
|
2022-05-17 08:19:03 +02:00
|
|
|
// TestName - Name of the Test
|
2022-06-07 17:35:44 +02:00
|
|
|
TestName string
|
|
|
|
|
ClusterPolicy resource
|
|
|
|
|
// SourceResources - Source resources yaml files
|
|
|
|
|
SourceResources []resource
|
|
|
|
|
// TriggerResource - Trigger resource yaml files
|
|
|
|
|
TriggerResource resource
|
|
|
|
|
// ExpectedResources - Expected resources to pass the test
|
|
|
|
|
ExpectedResources []expectedResource
|
|
|
|
|
Steps []testCaseStep
|
2021-07-01 10:09:43 +05:30
|
|
|
}{
|
|
|
|
|
{
|
2022-06-07 17:35:44 +02:00
|
|
|
TestName: "test-clone-source-resource-update-replication",
|
|
|
|
|
ClusterPolicy: clusteredResource(clPolGVR, genCloneConfigMapPolicyYaml),
|
|
|
|
|
SourceResources: []resource{
|
|
|
|
|
namespacedResource(cmGVR, "default", cloneSourceResource),
|
|
|
|
|
},
|
|
|
|
|
TriggerResource: clusteredResource(nsGVR, namespaceYaml),
|
|
|
|
|
ExpectedResources: []expectedResource{
|
|
|
|
|
expected(cmGVR, "test", "game-demo"),
|
|
|
|
|
},
|
|
|
|
|
Steps: []testCaseStep{
|
|
|
|
|
// delete policy -> generated resource still exists
|
|
|
|
|
stepDeleteResource(clPolGVR, "", "generate-policy"),
|
|
|
|
|
stepExpectResource(cmGVR, "test", "game-demo"),
|
|
|
|
|
// update source -> generated resource not updated
|
|
|
|
|
stepUpateResource(cmGVR, "default", "game-demo", func(resource *unstructured.Unstructured) error {
|
|
|
|
|
element, _, err := unstructured.NestedMap(resource.UnstructuredContent(), "data")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
element["initial_lives"] = "5"
|
|
|
|
|
return unstructured.SetNestedMap(resource.UnstructuredContent(), element, "data")
|
|
|
|
|
}),
|
|
|
|
|
stepExpectResource(cmGVR, "test", "game-demo", func(resource *unstructured.Unstructured) {
|
|
|
|
|
element, _, err := unstructured.NestedMap(resource.UnstructuredContent(), "data")
|
|
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
|
Expect(element["initial_lives"]).To(Equal("2"))
|
|
|
|
|
}),
|
|
|
|
|
// deleted source -> generated resource not deleted
|
|
|
|
|
stepDeleteResource(cmGVR, "default", "game-demo"),
|
|
|
|
|
stepExpectResource(cmGVR, "test", "game-demo"),
|
|
|
|
|
},
|
2021-07-01 10:09:43 +05:30
|
|
|
},
|
|
|
|
|
}
|
