kyverno/pkg/testrunner/testrunner_test.go

package testrunner

import "testing"

func Test_Mutate_EndPoint(t *testing.T) {
	testScenario(t, "/test/scenarios/other/scenario_mutate_endpoint.yaml")
}

// func Test_Mutate_Validate_qos(t *testing.T) {
// 	testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml")
// }

func Test_disallow_root_user(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_root_user.yaml")
}

func Test_disallow_priviledged(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_priviledged.yaml")
}

func Test_validate_healthChecks(t *testing.T) {
	testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml")
}

//TODO: add generate
// func Test_add_networkPolicy(t *testing.T) {
// 	testScenario(t, "/test/scenarios/samples/best_practices/add_networkPolicy.yaml")
// }

// namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver

func Test_validate_disallow_latest_tag(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag.yaml")
}

func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml")
}

func Test_validate_disallow_default_namespace(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_default_namespace.yaml")
}

func Test_validate_host_network_port(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_host_network_port.yaml")
}

func Test_validate_host_PID_IPC(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml")
}

func Test_validate_ro_rootfs(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/require_ro_rootfs.yaml")
}

//TODO: support generate
// func Test_add_ns_quota(t *testing.T) {
// 	testScenario(t, "test/scenarios/samples/best_practices/add_ns_quota.yaml")
// }

func Test_validate_disallow_default_serviceaccount(t *testing.T) {
	testScenario(t, "test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml")
}

func Test_validate_selinux_context(t *testing.T) {
	testScenario(t, "test/scenarios/other/scenario_validate_selinux_context.yaml")
}

func Test_validate_proc_mount(t *testing.T) {
	testScenario(t, "test/scenarios/other/scenario_validate_default_proc_mount.yaml")
}

func Test_validate_volume_whitelist(t *testing.T) {
	testScenario(t, "test/scenarios/other/scenario_validate_volume_whiltelist.yaml")
}

func Test_require_pod_requests_limits(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/require_pod_requests_limits.yaml")
}

func Test_require_probes(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/require_probes.yaml")
}

func Test_validate_disallow_bind_mounts_fail(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml")
}

func Test_validate_disallow_bind_mounts_pass(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml")
}

func Test_validate_disallow_new_capabilities(t *testing.T) {
	testScenario(t, "/test/scenarios/samples/best_practices/disallow_new_capabilities.yaml")
}

func Test_disallow_sysctls(t *testing.T) {
	testScenario(t, "/test/scenarios/samples/best_practices/disallow_sysctls.yaml")
}

func Test_disallow_docker_sock_mount(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml")
}

func Test_validate_disallow_helm_tiller(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml")
}

func Test_add_safe_to_evict(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict.yaml")
}

func Test_add_safe_to_evict_annotation2(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict2.yaml")
}

func Test_add_safe_to_evict_annotation3(t *testing.T) {
	testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict3.yaml")
}

func Test_validate_restrict_automount_sa_token_pass(t *testing.T) {
	testScenario(t, "test/scenarios/samples/more/restrict_automount_sa_token.yaml")
}

func Test_restrict_node_port(t *testing.T) {
	testScenario(t, "test/scenarios/samples/more/restrict_node_port.yaml")
}

func Test_validate_restrict_image_registries(t *testing.T) {
	testScenario(t, "test/scenarios/samples/more/restrict_image_registries.yaml")
}

func Test_known_ingress(t *testing.T) {
	testScenario(t, "test/scenarios/samples/more/restrict_ingress_classes.yaml")
}

func Test_unknown_ingress(t *testing.T) {
	testScenario(t, "test/scenarios/samples/more/unknown_ingress_class.yaml")
}
rework the framework 2019-06-17 18:11:22 -07:00			`package testrunner`

			`import "testing"`

add success tests for validation & mutation 2019-08-29 18:48:58 -07:00			`func Test_Mutate_EndPoint(t *testing.T) {`
clean up 2019-10-14 14:10:34 -07:00			`testScenario(t, "/test/scenarios/other/scenario_mutate_endpoint.yaml")`
add success tests for validation & mutation 2019-08-29 18:48:58 -07:00			`}`

538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 10:33:28 -08:00			`// func Test_Mutate_Validate_qos(t *testing.T) {`
			`// testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml")`
			`// }`
add validate helper functions 2019-08-29 11:44:50 -07:00
update disallow_root_user 2019-11-08 19:25:43 -08:00			`func Test_disallow_root_user(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/disallow_root_user.yaml")`
add disallow_priviledgedprivelegesecalation test runner 2019-09-09 10:56:19 -07:00			`}`

update disallow_priviledged 2019-11-08 20:04:42 -08:00			`func Test_disallow_priviledged(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/disallow_priviledged.yaml")`
update testrunner for examples/best_practices/policy_validate_container_security_context.yaml 2019-09-06 18:54:19 -07:00			`}`

add success tests for validation & mutation 2019-08-29 18:48:58 -07:00			`func Test_validate_healthChecks(t *testing.T) {`
clean up 2019-10-14 14:10:34 -07:00			`testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml")`
add success tests for validation & mutation 2019-08-29 18:48:58 -07:00			`}`

538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 10:33:28 -08:00			`//TODO: add generate`
			`// func Test_add_networkPolicy(t *testing.T) {`
			`// testScenario(t, "/test/scenarios/samples/best_practices/add_networkPolicy.yaml")`
			`// }`
add policies 2019-09-06 10:03:24 -07:00
			`// namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver`

update disallow_latest_tag 2019-11-10 17:54:38 -08:00			`func Test_validate_disallow_latest_tag(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag.yaml")`
add policies 2019-09-06 10:03:24 -07:00			`}`

add require_image_tag_not_latest.yaml 2019-10-09 18:35:07 -07:00			`func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {`
update disallow_latest_tag 2019-11-10 17:54:38 -08:00			`testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml")`
add policies 2019-09-06 10:03:24 -07:00			`}`

disallow use of default namespace 2019-10-10 10:34:49 -07:00			`func Test_validate_disallow_default_namespace(t *testing.T) {`
update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc 2019-11-10 15:50:18 -08:00			`testScenario(t, "test/scenarios/samples/best_practices/disallow_default_namespace.yaml")`
add validate_namespace test runner 2019-09-09 14:33:55 -07:00			`}`
add validate_hostpath testrunner 2019-09-09 15:06:54 -07:00
update testrunner, unit test for validate_host_network_port 2019-09-09 16:08:15 -07:00			`func Test_validate_host_network_port(t *testing.T) {`
update disallow_docker_sock_mount and disallow_host_network_port 2019-11-10 12:53:48 -08:00			`testScenario(t, "test/scenarios/samples/best_practices/disallow_host_network_port.yaml")`
update testrunner, unit test for validate_host_network_port 2019-09-09 16:08:15 -07:00			`}`
add policy_validate_hostPID_hosIPC.yaml 2019-09-09 17:34:25 -07:00
update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc 2019-11-10 15:50:18 -08:00			`func Test_validate_host_PID_IPC(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml")`
add policy_validate_hostPID_hosIPC.yaml 2019-09-09 17:34:25 -07:00			`}`
add policy_validate_not_readonly_rootfilesystem.yaml 2019-09-09 18:13:38 -07:00
update RequireReadOnlyRootFS 2019-11-09 16:18:33 -08:00			`func Test_validate_ro_rootfs(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/require_ro_rootfs.yaml")`
add policy_validate_not_readonly_rootfilesystem.yaml 2019-09-09 18:13:38 -07:00			`}`
add resource_quota testrunner 2019-09-09 23:55:14 -07:00
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 10:33:28 -08:00			`//TODO: support generate`
			`// func Test_add_ns_quota(t *testing.T) {`
			`// testScenario(t, "test/scenarios/samples/best_practices/add_ns_quota.yaml")`
			`// }`
add policy_validate_disallow_node_port.yaml 2019-09-10 11:57:33 -07:00
add best-practice: policy_validate_disallow_default_serviceaccount 2019-09-16 14:16:54 -07:00			`func Test_validate_disallow_default_serviceaccount(t *testing.T) {`
clean up 2019-10-14 14:10:34 -07:00			`testScenario(t, "test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml")`
add best-practice: policy_validate_disallow_default_serviceaccount 2019-09-16 14:16:54 -07:00			`}`
add security context "fsgroup" 2019-10-04 16:50:23 -07:00
add selinux best practice 2019-10-04 17:28:42 -07:00			`func Test_validate_selinux_context(t *testing.T) {`
clean up 2019-10-14 14:10:34 -07:00			`testScenario(t, "test/scenarios/other/scenario_validate_selinux_context.yaml")`
add selinux best practice 2019-10-04 17:28:42 -07:00			`}`
best-practice: validate default proc mount 2019-10-04 17:48:57 -07:00
			`func Test_validate_proc_mount(t *testing.T) {`
clean up 2019-10-14 14:10:34 -07:00			`testScenario(t, "test/scenarios/other/scenario_validate_default_proc_mount.yaml")`
best-practice: validate default proc mount 2019-10-04 17:48:57 -07:00			`}`
best practice: validate container capability 2019-10-04 18:15:39 -07:00
best practice: volume white list 2019-10-07 12:46:34 -07:00			`func Test_validate_volume_whitelist(t *testing.T) {`
clean up 2019-10-14 14:10:34 -07:00			`testScenario(t, "test/scenarios/other/scenario_validate_volume_whiltelist.yaml")`
best practice: volume white list 2019-10-07 12:46:34 -07:00			`}`
using anyPattern for allowed image registries 2019-10-07 14:34:32 -07:00
add check-pod-request-limit.yaml 2019-10-09 17:37:31 -07:00			`func Test_require_pod_requests_limits(t *testing.T) {`
update require_pod_requests_limits 2019-11-10 21:06:49 -08:00			`testScenario(t, "test/scenarios/samples/best_practices/require_pod_requests_limits.yaml")`
add check-pod-request-limit.yaml 2019-10-09 17:37:31 -07:00			`}`
add require_probes.yaml 2019-10-09 17:49:00 -07:00
			`func Test_require_probes(t *testing.T) {`
update require_probes 2019-11-10 21:18:17 -08:00			`testScenario(t, "test/scenarios/samples/best_practices/require_probes.yaml")`
add require_probes.yaml 2019-10-09 17:49:00 -07:00			`}`
add 'deny-use-of-host-fs' 2019-10-10 18:42:54 -07:00
update DisallowBindMounts 2019-11-09 16:33:19 -08:00			`func Test_validate_disallow_bind_mounts_fail(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml")`
add 'deny-use-of-host-fs' 2019-10-10 18:42:54 -07:00			`}`

update DisallowBindMounts 2019-11-09 16:33:19 -08:00			`func Test_validate_disallow_bind_mounts_pass(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml")`
add 'deny-use-of-host-fs' 2019-10-10 18:42:54 -07:00			`}`
update disallow new capabilities 2019-11-09 16:07:16 -08:00
add test case (currently fails) 2019-11-01 11:40:23 -07:00			`func Test_validate_disallow_new_capabilities(t *testing.T) {`
update disallow new capabilities 2019-11-09 16:07:16 -08:00			`testScenario(t, "/test/scenarios/samples/best_practices/disallow_new_capabilities.yaml")`
add test case (currently fails) 2019-11-01 11:40:23 -07:00			`}`
add policy and test case 2019-11-01 13:31:08 -07:00
fix tests 2019-11-11 18:51:21 -08:00			`func Test_disallow_sysctls(t *testing.T) {`
			`testScenario(t, "/test/scenarios/samples/best_practices/disallow_sysctls.yaml")`
add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00			`}`

fix tests 2019-11-11 18:51:21 -08:00			`func Test_disallow_docker_sock_mount(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml")`
add policy and test case 2019-11-01 13:31:08 -07:00			`}`
add disallow Helm tiller 2019-11-03 18:19:06 -08:00
add missing scenario test 2019-11-05 10:19:42 -08:00			`func Test_validate_disallow_helm_tiller(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml")`
			`}`

rename add_safe_to_evict 2019-11-08 19:02:49 -08:00			`func Test_add_safe_to_evict(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict.yaml")`
add disallow Helm tiller 2019-11-03 18:19:06 -08:00			`}`
add tect case 2019-11-05 15:32:45 -08:00
			`func Test_add_safe_to_evict_annotation2(t *testing.T) {`
rename add_safe_to_evict 2019-11-08 19:02:49 -08:00			`testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict2.yaml")`
add tect case 2019-11-05 15:32:45 -08:00			`}`
- add policy and test for known ingress - fix messages and remove unnecessary comments in testrunner/scenario.go 2019-11-05 19:07:44 -08:00
mutate rule: do not ignore empty key in resource if overlay has nested anchor 2019-11-27 16:07:15 -08:00			`func Test_add_safe_to_evict_annotation3(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict3.yaml")`
			`}`

update policies and test cases 2019-11-11 17:55:54 -08:00			`func Test_validate_restrict_automount_sa_token_pass(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/more/restrict_automount_sa_token.yaml")`
			`}`

			`func Test_restrict_node_port(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/more/restrict_node_port.yaml")`
			`}`

			`func Test_validate_restrict_image_registries(t *testing.T) {`
			`testScenario(t, "test/scenarios/samples/more/restrict_image_registries.yaml")`
			`}`

- add policy and test for known ingress - fix messages and remove unnecessary comments in testrunner/scenario.go 2019-11-05 19:07:44 -08:00			`func Test_known_ingress(t *testing.T) {`
update policies and test cases 2019-11-11 17:55:54 -08:00			`testScenario(t, "test/scenarios/samples/more/restrict_ingress_classes.yaml")`
- add policy and test for known ingress - fix messages and remove unnecessary comments in testrunner/scenario.go 2019-11-05 19:07:44 -08:00			`}`

			`func Test_unknown_ingress(t *testing.T) {`
update policies and test cases 2019-11-11 17:55:54 -08:00			`testScenario(t, "test/scenarios/samples/more/unknown_ingress_class.yaml")`
- add policy and test for known ingress - fix messages and remove unnecessary comments in testrunner/scenario.go 2019-11-05 19:07:44 -08:00			`}`