2019-05-16 21:37:54 +03:00
package engine
import (
"encoding/json"
"testing"
2019-09-03 15:02:00 -07:00
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
2019-05-16 21:37:54 +03:00
"gotest.tools/assert"
)
2019-06-05 13:43:07 +03:00
func TestValidateString_AsteriskTest ( t * testing . T ) {
2019-05-16 21:37:54 +03:00
pattern := "*"
value := "anything"
empty := ""
2019-06-05 13:43:07 +03:00
assert . Assert ( t , validateString ( value , pattern , Equal ) )
assert . Assert ( t , validateString ( empty , pattern , Equal ) )
2019-05-16 21:37:54 +03:00
}
2019-06-05 13:43:07 +03:00
func TestValidateString_LeftAsteriskTest ( t * testing . T ) {
2019-05-16 21:37:54 +03:00
pattern := "*right"
value := "leftright"
right := "right"
2019-06-05 13:43:07 +03:00
assert . Assert ( t , validateString ( value , pattern , Equal ) )
assert . Assert ( t , validateString ( right , pattern , Equal ) )
2019-05-16 21:37:54 +03:00
value = "leftmiddle"
middle := "middle"
2019-06-05 13:43:07 +03:00
assert . Assert ( t , ! validateString ( value , pattern , Equal ) )
assert . Assert ( t , ! validateString ( middle , pattern , Equal ) )
2019-05-16 21:37:54 +03:00
}
2019-06-05 13:43:07 +03:00
func TestValidateString_MiddleAsteriskTest ( t * testing . T ) {
2019-05-16 21:37:54 +03:00
pattern := "ab*ba"
2019-05-20 14:48:38 +03:00
value := "abbeba"
2019-06-05 13:43:07 +03:00
assert . Assert ( t , validateString ( value , pattern , Equal ) )
2019-05-16 21:37:54 +03:00
value = "abbca"
2019-06-05 13:43:07 +03:00
assert . Assert ( t , ! validateString ( value , pattern , Equal ) )
2019-05-16 21:37:54 +03:00
}
2019-06-05 13:43:07 +03:00
func TestValidateString_QuestionMark ( t * testing . T ) {
2019-05-16 21:37:54 +03:00
pattern := "ab?ba"
value := "abbba"
2019-06-05 13:43:07 +03:00
assert . Assert ( t , validateString ( value , pattern , Equal ) )
2019-05-16 21:37:54 +03:00
value = "abbbba"
2019-06-05 13:43:07 +03:00
assert . Assert ( t , ! validateString ( value , pattern , Equal ) )
2019-05-16 21:37:54 +03:00
}
func TestSkipArrayObject_OneAnchor ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawAnchors := [ ] byte ( ` {
"(name)" : "nirmata-*"
} ` )
rawResource := [ ] byte ( ` {
"name" : "nirmata-resource" ,
2019-06-05 10:24:18 +03:00
"namespace" : "kyverno" ,
2019-06-04 17:33:21 +03:00
"object" : {
"label" : "app" ,
"array" : [
1 ,
2 ,
3
]
}
} ` )
2019-05-16 21:37:54 +03:00
var resource , anchor map [ string ] interface { }
json . Unmarshal ( rawAnchors , & anchor )
json . Unmarshal ( rawResource , & resource )
assert . Assert ( t , ! skipArrayObject ( resource , anchor ) )
}
func TestSkipArrayObject_OneNumberAnchorPass ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawAnchors := [ ] byte ( ` {
"(count)" : 1
} ` )
rawResource := [ ] byte ( ` {
"name" : "nirmata-resource" ,
"count" : 1 ,
2019-06-05 10:24:18 +03:00
"namespace" : "kyverno" ,
2019-06-04 17:33:21 +03:00
"object" : {
"label" : "app" ,
"array" : [
1 ,
2 ,
3
]
}
} ` )
2019-05-16 21:37:54 +03:00
var resource , anchor map [ string ] interface { }
json . Unmarshal ( rawAnchors , & anchor )
json . Unmarshal ( rawResource , & resource )
assert . Assert ( t , ! skipArrayObject ( resource , anchor ) )
}
func TestSkipArrayObject_TwoAnchorsPass ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawAnchors := [ ] byte ( ` {
"(name)" : "nirmata-*" ,
2019-06-05 13:43:07 +03:00
"(namespace)" : "kyv?rno"
2019-06-04 17:33:21 +03:00
} ` )
rawResource := [ ] byte ( ` {
"name" : "nirmata-resource" ,
2019-06-05 10:24:18 +03:00
"namespace" : "kyverno" ,
2019-06-04 17:33:21 +03:00
"object" : {
"label" : "app" ,
"array" : [
1 ,
2 ,
3
]
}
} ` )
2019-05-16 21:37:54 +03:00
var resource , anchor map [ string ] interface { }
json . Unmarshal ( rawAnchors , & anchor )
json . Unmarshal ( rawResource , & resource )
assert . Assert ( t , ! skipArrayObject ( resource , anchor ) )
}
func TestSkipArrayObject_TwoAnchorsSkip ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawAnchors := [ ] byte ( ` {
"(name)" : "nirmata-*" ,
"(namespace)" : "some-?olicy"
} ` )
rawResource := [ ] byte ( ` {
"name" : "nirmata-resource" ,
2019-06-05 10:24:18 +03:00
"namespace" : "kyverno" ,
2019-06-04 17:33:21 +03:00
"object" : {
"label" : "app" ,
"array" : [
1 ,
2 ,
3
]
}
} ` )
2019-05-16 21:37:54 +03:00
var resource , anchor map [ string ] interface { }
json . Unmarshal ( rawAnchors , & anchor )
json . Unmarshal ( rawResource , & resource )
assert . Assert ( t , skipArrayObject ( resource , anchor ) )
}
func TestGetAnchorsFromMap_ThereAreAnchors ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawMap := [ ] byte ( ` {
"(name)" : "nirmata-*" ,
"notAnchor1" : 123 ,
"(namespace)" : "kube-?olicy" ,
"notAnchor2" : "sample-text" ,
"object" : {
"key1" : "value1" ,
"(key2)" : "value2"
}
} ` )
2019-05-16 21:37:54 +03:00
var unmarshalled map [ string ] interface { }
json . Unmarshal ( rawMap , & unmarshalled )
2019-06-05 17:43:59 -07:00
actualMap := getAnchorsFromMap ( unmarshalled )
2019-05-16 21:37:54 +03:00
assert . Equal ( t , len ( actualMap ) , 2 )
assert . Equal ( t , actualMap [ "(name)" ] . ( string ) , "nirmata-*" )
assert . Equal ( t , actualMap [ "(namespace)" ] . ( string ) , "kube-?olicy" )
}
func TestGetAnchorsFromMap_ThereAreNoAnchors ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawMap := [ ] byte ( ` {
"name" : "nirmata-*" ,
"notAnchor1" : 123 ,
"namespace" : "kube-?olicy" ,
"notAnchor2" : "sample-text" ,
"object" : {
"key1" : "value1" ,
"(key2)" : "value2"
}
} ` )
2019-05-16 21:37:54 +03:00
var unmarshalled map [ string ] interface { }
json . Unmarshal ( rawMap , & unmarshalled )
2019-06-05 17:43:59 -07:00
actualMap := getAnchorsFromMap ( unmarshalled )
2019-05-16 21:37:54 +03:00
assert . Assert ( t , len ( actualMap ) == 0 )
}
2019-05-28 14:07:15 +03:00
func TestValidateMap ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawPattern := [ ] byte ( ` {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "?*" ,
"resources" : {
"requests" : {
"cpu" : "<4|8"
}
}
}
]
}
}
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"replicas" : 3 ,
"selector" : {
"matchLabels" : {
"app" : "nginx"
}
} ,
"template" : {
"metadata" : {
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"securityContext" : {
"runAsNonRoot" : true
} ,
"containers" : [
{
"name" : "nginx" ,
"image" : "https://nirmata/nginx:latest" ,
"imagePullPolicy" : "Always" ,
"readinessProbe" : {
"exec" : {
"command" : [
"cat" ,
"/tmp/healthy"
]
} ,
"initialDelaySeconds" : 5 ,
"periodSeconds" : 10
} ,
"livenessProbe" : {
"tcpSocket" : {
"port" : 8080
} ,
"initialDelaySeconds" : 15 ,
"periodSeconds" : 11
} ,
"resources" : {
"limits" : {
"memory" : "2Gi" ,
"cpu" : 8
} ,
"requests" : {
"memory" : "512Mi" ,
"cpu" : "8"
}
} ,
"ports" : [
{
"containerPort" : 80
}
]
}
]
}
}
}
} ` )
2019-05-28 14:07:15 +03:00
2019-06-05 13:43:07 +03:00
var pattern , resource map [ string ] interface { }
2019-05-28 14:07:15 +03:00
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateMap ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . NilError ( t , err )
2019-05-28 14:07:15 +03:00
}
2019-06-04 17:33:21 +03:00
func TestValidateMap_AsteriskForInt ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "*" ,
"livenessProbe" : {
"periodSeconds" : "*"
}
}
]
}
}
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "StatefulSet" ,
"metadata" : {
"name" : "game-web" ,
"labels" : {
"originalLabel" : "isHere"
}
} ,
"spec" : {
"selector" : {
"matchLabels" : {
"app" : "nginxo"
}
} ,
"serviceName" : "nginxo" ,
"replicas" : 3 ,
"template" : {
"metadata" : {
"labels" : {
"app" : "nginxo"
}
} ,
"spec" : {
"terminationGracePeriodSeconds" : 10 ,
"containers" : [
{
"name" : "nginxo" ,
"image" : "k8s.gcr.io/nginx-but-no-slim:0.8" ,
"ports" : [
{
"containerPort" : 8780 ,
"name" : "webp"
}
] ,
"volumeMounts" : [
{
"name" : "www" ,
"mountPath" : "/usr/share/nginxo/html"
}
] ,
"livenessProbe" : {
"periodSeconds" : 11
}
}
]
}
} ,
"volumeClaimTemplates" : [
{
"metadata" : {
"name" : "www"
} ,
"spec" : {
"accessModes" : [
"ReadWriteOnce"
] ,
"storageClassName" : "my-storage-class" ,
"resources" : {
"requests" : {
"storage" : "1Gi"
}
}
}
}
]
}
}
` )
2019-06-05 13:43:07 +03:00
var pattern , resource map [ string ] interface { }
2019-06-04 17:33:21 +03:00
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateMap ( resource , pattern , pattern , "/" )
t . Log ( path )
2019-06-28 17:11:19 -07:00
assert . NilError ( t , err )
2019-06-04 17:33:21 +03:00
}
func TestValidateMap_AsteriskForMap ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "*" ,
"livenessProbe" : "*"
}
]
}
}
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "StatefulSet" ,
"metadata" : {
"name" : "game-web" ,
"labels" : {
"originalLabel" : "isHere"
}
} ,
"spec" : {
"selector" : {
"matchLabels" : {
"app" : "nginxo"
}
} ,
"serviceName" : "nginxo" ,
"replicas" : 3 ,
"template" : {
"metadata" : {
"labels" : {
"app" : "nginxo"
}
} ,
"spec" : {
"terminationGracePeriodSeconds" : 10 ,
"containers" : [
{
"name" : "nginxo" ,
"image" : "k8s.gcr.io/nginx-but-no-slim:0.8" ,
"ports" : [
{
"containerPort" : 8780 ,
"name" : "webp"
}
] ,
"volumeMounts" : [
{
"name" : "www" ,
"mountPath" : "/usr/share/nginxo/html"
}
] ,
"livenessProbe" : {
"periodSeconds" : 11
}
}
]
}
} ,
"volumeClaimTemplates" : [
{
"metadata" : {
"name" : "www"
} ,
"spec" : {
"accessModes" : [
"ReadWriteOnce"
] ,
"storageClassName" : "my-storage-class" ,
"resources" : {
"requests" : {
"storage" : "1Gi"
}
}
}
}
]
}
} ` )
2019-06-05 13:43:07 +03:00
var pattern , resource map [ string ] interface { }
2019-06-04 17:33:21 +03:00
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateMap ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . NilError ( t , err )
2019-06-04 17:33:21 +03:00
}
func TestValidateMap_AsteriskForArray ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"template" : {
"spec" : {
"containers" : "*"
}
}
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "StatefulSet" ,
"metadata" : {
"name" : "game-web" ,
"labels" : {
"originalLabel" : "isHere"
}
} ,
"spec" : {
"selector" : {
"matchLabels" : {
"app" : "nginxo"
}
} ,
"serviceName" : "nginxo" ,
"replicas" : 3 ,
"template" : {
"metadata" : {
"labels" : {
"app" : "nginxo"
}
} ,
"spec" : {
"terminationGracePeriodSeconds" : 10 ,
"containers" : [
{
"name" : "nginxo" ,
"image" : "k8s.gcr.io/nginx-but-no-slim:0.8" ,
"ports" : [
{
"containerPort" : 8780 ,
"name" : "webp"
}
] ,
"volumeMounts" : [
{
"name" : "www" ,
"mountPath" : "/usr/share/nginxo/html"
}
] ,
"livenessProbe" : {
"periodSeconds" : 11
}
}
]
}
} ,
"volumeClaimTemplates" : [
{
"metadata" : {
"name" : "www"
} ,
"spec" : {
"accessModes" : [
"ReadWriteOnce"
] ,
"storageClassName" : "my-storage-class" ,
"resources" : {
"requests" : {
"storage" : "1Gi"
}
}
}
}
]
}
} ` )
2019-06-05 13:43:07 +03:00
var pattern , resource map [ string ] interface { }
2019-06-04 17:33:21 +03:00
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateMap ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . NilError ( t , err )
2019-06-04 17:33:21 +03:00
}
func TestValidateMap_AsteriskFieldIsMissing ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "*" ,
"livenessProbe" : "*"
}
]
}
}
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "StatefulSet" ,
"metadata" : {
"name" : "game-web" ,
"labels" : {
"originalLabel" : "isHere"
}
} ,
"spec" : {
"selector" : {
"matchLabels" : {
"app" : "nginxo"
}
} ,
"serviceName" : "nginxo" ,
"replicas" : 3 ,
"template" : {
"metadata" : {
"labels" : {
"app" : "nginxo"
}
} ,
"spec" : {
"terminationGracePeriodSeconds" : 10 ,
"containers" : [
{
"name" : "nginxo" ,
"image" : "k8s.gcr.io/nginx-but-no-slim:0.8" ,
"ports" : [
{
"containerPort" : 8780 ,
"name" : "webp"
}
] ,
"volumeMounts" : [
{
"name" : "www" ,
"mountPath" : "/usr/share/nginxo/html"
}
] ,
"livenessProbe" : null
}
]
}
} ,
"volumeClaimTemplates" : [
{
"metadata" : {
"name" : "www"
} ,
"spec" : {
"accessModes" : [
"ReadWriteOnce"
] ,
"storageClassName" : "my-storage-class" ,
"resources" : {
"requests" : {
"storage" : "1Gi"
}
}
}
}
]
}
} ` )
2019-06-05 13:43:07 +03:00
var pattern , resource map [ string ] interface { }
2019-06-04 17:33:21 +03:00
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateMap ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "/spec/template/spec/containers/0/" )
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err != nil )
2019-06-04 17:33:21 +03:00
}
2019-06-05 17:35:34 +03:00
func TestValidateMap_livenessProbeIsNull ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "*" ,
"livenessProbe" : null
}
]
}
}
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "StatefulSet" ,
"metadata" : {
"name" : "game-web" ,
"labels" : {
"originalLabel" : "isHere"
}
} ,
"spec" : {
"selector" : {
"matchLabels" : {
"app" : "nginxo"
}
} ,
"serviceName" : "nginxo" ,
"replicas" : 3 ,
"template" : {
"metadata" : {
"labels" : {
"app" : "nginxo"
}
} ,
"spec" : {
"terminationGracePeriodSeconds" : 10 ,
"containers" : [
{
"name" : "nginxo" ,
"image" : "k8s.gcr.io/nginx-but-no-slim:0.8" ,
"ports" : [
{
"containerPort" : 8780 ,
"name" : "webp"
}
] ,
"volumeMounts" : [
{
"name" : "www" ,
"mountPath" : "/usr/share/nginxo/html"
}
] ,
"livenessProbe" : null
}
]
}
} ,
"volumeClaimTemplates" : [
{
"metadata" : {
"name" : "www"
} ,
"spec" : {
"accessModes" : [
"ReadWriteOnce"
] ,
"storageClassName" : "my-storage-class" ,
"resources" : {
"requests" : {
"storage" : "1Gi"
}
}
}
}
]
}
} ` )
var pattern , resource map [ string ] interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateMap ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . NilError ( t , err )
2019-06-05 17:35:34 +03:00
}
func TestValidateMap_livenessProbeIsMissing ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "*" ,
"livenessProbe" : null
}
]
}
}
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "StatefulSet" ,
"metadata" : {
"name" : "game-web" ,
"labels" : {
"originalLabel" : "isHere"
}
} ,
"spec" : {
"selector" : {
"matchLabels" : {
"app" : "nginxo"
}
} ,
"serviceName" : "nginxo" ,
"replicas" : 3 ,
"template" : {
"metadata" : {
"labels" : {
"app" : "nginxo"
}
} ,
"spec" : {
"terminationGracePeriodSeconds" : 10 ,
"containers" : [
{
"name" : "nginxo" ,
"image" : "k8s.gcr.io/nginx-but-no-slim:0.8" ,
"ports" : [
{
"containerPort" : 8780 ,
"name" : "webp"
}
] ,
"volumeMounts" : [
{
"name" : "www" ,
"mountPath" : "/usr/share/nginxo/html"
}
]
}
]
}
} ,
"volumeClaimTemplates" : [
{
"metadata" : {
"name" : "www"
} ,
"spec" : {
"accessModes" : [
"ReadWriteOnce"
] ,
"storageClassName" : "my-storage-class" ,
"resources" : {
"requests" : {
"storage" : "1Gi"
}
}
}
}
]
}
} ` )
var pattern , resource map [ string ] interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateMap ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . NilError ( t , err )
2019-06-05 17:35:34 +03:00
}
2019-05-16 21:37:54 +03:00
func TestValidateMapElement_TwoElementsInArrayOnePass ( t * testing . T ) {
2019-09-26 11:00:30 -07:00
rawPattern := [ ] byte ( ` {
"^(list)" : [
{
"(name)" : "nirmata-*" ,
"object" : [
{
"(key1)" : "value*" ,
"key2" : "value*"
}
2019-06-04 17:33:21 +03:00
]
2019-09-26 11:00:30 -07:00
}
]
} ` )
rawMap := [ ] byte ( ` {
"list" : [
{
"name" : "nirmata-1" ,
"object" : [
{
"key1" : "value1" ,
"key2" : "value2"
}
2019-06-04 17:33:21 +03:00
]
2019-09-26 11:00:30 -07:00
} ,
{
"name" : "nirmata-1" ,
"object" : [
{
"key1" : "not_value" ,
"key2" : "not_value"
}
2019-06-04 17:33:21 +03:00
]
2019-09-26 11:00:30 -07:00
}
]
} ` )
2019-05-16 21:37:54 +03:00
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-09-25 15:12:33 -07:00
// assert.Equal(t, path, "/1/object/0/key2/")
// assert.NilError(t, err)
assert . Assert ( t , err == nil )
2019-05-16 21:37:54 +03:00
}
func TestValidateMapElement_OneElementInArrayPass ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawPattern := [ ] byte ( ` [
{
"(name)" : "nirmata-*" ,
"object" : [
{
"(key1)" : "value*" ,
"key2" : "value*"
}
]
}
] ` )
rawMap := [ ] byte ( ` [
{
"name" : "nirmata-1" ,
"object" : [
{
"key1" : "value1" ,
"key2" : "value2"
}
]
}
] ` )
2019-05-16 21:37:54 +03:00
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . NilError ( t , err )
2019-05-16 21:37:54 +03:00
}
2019-06-20 18:21:55 +03:00
func TestValidateMap_CorrectRelativePathInConfig ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"containers" : [
{
"name" : "*" ,
"resources" : {
"requests" : {
"memory" : "$(<=./../../limits/memory)"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata" ,
"resources" : {
"requests" : {
"memory" : "1024Mi"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . NilError ( t , err )
2019-06-20 18:21:55 +03:00
}
func TestValidateMap_RelativePathDoesNotExists ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"containers" : [
{
"name" : "*" ,
"resources" : {
"requests" : {
"memory" : "$(./../somekey/somekey2/memory)"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata" ,
"resources" : {
"requests" : {
"memory" : "1024Mi"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "/spec/containers/0/resources/requests/memory/" )
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err != nil )
2019-06-20 18:21:55 +03:00
}
func TestValidateMap_OnlyAnchorsInPath ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"containers" : [
{
"name" : "*" ,
"resources" : {
"requests" : {
"memory" : "$()"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata" ,
"resources" : {
"requests" : {
"memory" : "1024Mi"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "/spec/containers/0/resources/requests/memory/" )
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err != nil )
2019-06-20 18:21:55 +03:00
}
func TestValidateMap_MalformedReferenceOnlyDolarMark ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"containers" : [
{
"name" : "*" ,
"resources" : {
"requests" : {
"memory" : "$"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata" ,
"resources" : {
"requests" : {
"memory" : "1024Mi"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "/spec/containers/0/resources/requests/memory/" )
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err != nil )
2019-06-20 18:21:55 +03:00
}
func TestValidateMap_RelativePathWithParentheses ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"containers" : [
{
"name" : "*" ,
"resources" : {
"requests" : {
"memory" : "$(<=./../../lim(its/mem)ory)"
} ,
"lim(its" : {
"mem)ory" : "2048Mi"
}
}
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata" ,
"resources" : {
"requests" : {
"memory" : "1024Mi"
} ,
"lim(its" : {
"mem)ory" : "2048Mi"
}
}
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . NilError ( t , err )
2019-06-20 18:21:55 +03:00
}
func TestValidateMap_MalformedPath ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"containers" : [
{
"name" : "*" ,
"resources" : {
"requests" : {
"memory" : "$(>2048)"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata" ,
"resources" : {
"requests" : {
"memory" : "1024Mi"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "/spec/containers/0/resources/requests/memory/" )
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err != nil )
2019-06-20 18:21:55 +03:00
}
func TestValidateMap_AbosolutePathExists ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"containers" : [
{
"name" : "*" ,
"resources" : {
"requests" : {
"memory" : "$(<=/spec/containers/0/resources/limits/memory)"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata" ,
"resources" : {
"requests" : {
"memory" : "1024Mi"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err == nil )
2019-06-20 18:21:55 +03:00
}
func TestValidateMap_AbsolutePathToMetadata ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"metadata" : {
"labels" : {
"app" : "nirmata*"
}
} ,
"spec" : {
"containers" : [
{
"(name)" : "$(/metadata/labels/app)" ,
2019-09-25 15:12:33 -07:00
"(image)" : "nirmata.io*"
2019-06-20 18:21:55 +03:00
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"metadata" : {
"labels" : {
"app" : "nirmata*"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata"
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "" )
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err == nil )
2019-06-20 18:21:55 +03:00
}
2019-09-25 15:12:33 -07:00
func TestValidateMap_AbsolutePathToMetadata_fail ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"metadata" : {
"labels" : {
"app" : "nirmata*"
}
} ,
"spec" : {
"containers" : [
{
"(name)" : "$(/metadata/labels/app)" ,
"image" : "nirmata.io*"
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"metadata" : {
"labels" : {
"app" : "nirmata*"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata" ,
"image" : "nginx"
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "/spec/containers/0/image/" )
assert . Assert ( t , err != nil )
}
2019-06-20 18:21:55 +03:00
func TestValidateMap_AbosolutePathDoesNotExists ( t * testing . T ) {
rawPattern := [ ] byte ( ` {
"spec" : {
"containers" : [
{
"name" : "*" ,
"resources" : {
"requests" : {
"memory" : "$(<=/some/memory)"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
rawMap := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nirmata" ,
"resources" : {
"requests" : {
"memory" : "1024Mi"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "/spec/containers/0/resources/requests/memory/" )
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err != nil )
2019-06-20 18:21:55 +03:00
}
func TestActualizePattern_GivenRelativePathThatExists ( t * testing . T ) {
absolutePath := "/spec/containers/0/resources/requests/memory"
referencePath := "$(<=./../../limits/memory)"
rawPattern := [ ] byte ( ` {
"spec" : {
"containers" : [
{
"name" : "*" ,
"resources" : {
"requests" : {
"memory" : "$(<=./../../limits/memory)"
} ,
"limits" : {
"memory" : "2048Mi"
}
}
}
]
}
} ` )
var pattern interface { }
json . Unmarshal ( rawPattern , & pattern )
2019-06-28 17:11:19 -07:00
pattern , err := actualizePattern ( pattern , referencePath , absolutePath )
2019-06-20 18:21:55 +03:00
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err == nil )
2019-06-20 18:21:55 +03:00
}
func TestFormAbsolutePath_RelativePathExists ( t * testing . T ) {
absolutePath := "/spec/containers/0/resources/requests/memory"
referencePath := "./../../limits/memory"
expectedString := "/spec/containers/0/resources/limits/memory"
result := FormAbsolutePath ( referencePath , absolutePath )
assert . Assert ( t , result == expectedString )
}
func TestFormAbsolutePath_RelativePathWithBackToTopInTheBegining ( t * testing . T ) {
absolutePath := "/spec/containers/0/resources/requests/memory"
referencePath := "../../limits/memory"
expectedString := "/spec/containers/0/resources/limits/memory"
result := FormAbsolutePath ( referencePath , absolutePath )
assert . Assert ( t , result == expectedString )
}
func TestFormAbsolutePath_AbsolutePathExists ( t * testing . T ) {
absolutePath := "/spec/containers/0/resources/requests/memory"
referencePath := "/spec/containers/0/resources/limits/memory"
result := FormAbsolutePath ( referencePath , absolutePath )
assert . Assert ( t , result == referencePath )
}
func TestFormAbsolutePath_EmptyPath ( t * testing . T ) {
absolutePath := "/spec/containers/0/resources/requests/memory"
referencePath := ""
result := FormAbsolutePath ( referencePath , absolutePath )
assert . Assert ( t , result == absolutePath )
}
2019-05-16 21:37:54 +03:00
func TestValidateMapElement_OneElementInArrayNotPass ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawPattern := [ ] byte ( ` [
{
"(name)" : "nirmata-*" ,
"object" : [
{
"(key1)" : "value*" ,
"key2" : "value*"
}
]
}
] ` )
rawMap := [ ] byte ( ` [
{
"name" : "nirmata-1" ,
"object" : [
{
"key1" : "value5" ,
"key2" : "1value1"
}
]
}
] ` )
2019-05-16 21:37:54 +03:00
var pattern , resource interface { }
json . Unmarshal ( rawPattern , & pattern )
json . Unmarshal ( rawMap , & resource )
2019-09-05 12:44:38 -07:00
path , err := validateResourceElement ( resource , pattern , pattern , "/" )
assert . Equal ( t , path , "/0/object/0/key2/" )
2019-06-28 17:11:19 -07:00
assert . Assert ( t , err != nil )
2019-05-20 14:48:38 +03:00
}
func TestValidate_ServiceTest ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.nirmata.io/v1alpha1" ,
2019-09-12 15:04:35 -07:00
"kind" : "ClusterPolicy" ,
2019-06-04 17:33:21 +03:00
"metadata" : {
"name" : "policy-service"
} ,
"spec" : {
"rules" : [
{
"name" : "ps1" ,
"resource" : {
"kinds" : [
"Service"
] ,
"name" : "game-service*"
} ,
"mutate" : {
"patches" : [
{
"path" : "/metadata/labels/isMutated" ,
"op" : "add" ,
"value" : "true"
} ,
{
"path" : "/metadata/labels/secretLabel" ,
"op" : "replace" ,
"value" : "weKnow"
} ,
{
"path" : "/metadata/labels/originalLabel" ,
"op" : "remove"
} ,
{
"path" : "/spec/selector/app" ,
"op" : "replace" ,
"value" : "mutedApp"
}
]
} ,
"validate" : {
"message" : "This resource is broken" ,
"pattern" : {
"spec" : {
"ports" : [
{
"name" : "hs" ,
"protocol" : 32
}
]
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( ` {
"kind" : "Service" ,
"apiVersion" : "v1" ,
"metadata" : {
"name" : "game-service" ,
"labels" : {
"originalLabel" : "isHere" ,
"secretLabel" : "thisIsMySecret"
}
} ,
"spec" : {
"selector" : {
"app" : "MyApp"
} ,
"ports" : [
{
"name" : "http" ,
"protocol" : "TCP" ,
"port" : 80 ,
"targetPort" : 9376
}
]
}
}
` )
2019-05-20 14:48:38 +03:00
2019-09-03 15:02:00 -07:00
var policy kyverno . ClusterPolicy
2019-05-20 14:48:38 +03:00
json . Unmarshal ( rawPolicy , & policy )
2019-08-15 15:23:54 -07:00
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-08-30 01:08:54 -07:00
assert . Assert ( t , len ( er . PolicyResponse . Rules ) == 0 )
2019-05-16 21:37:54 +03:00
}
2019-05-20 17:07:09 +03:00
func TestValidate_MapHasFloats ( t * testing . T ) {
2019-06-04 17:33:21 +03:00
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.nirmata.io/v1alpha1" ,
2019-09-12 15:04:35 -07:00
"kind" : "ClusterPolicy" ,
2019-06-04 17:33:21 +03:00
"metadata" : {
"name" : "policy-deployment-changed"
} ,
"spec" : {
"rules" : [
{
"name" : "First policy v2" ,
"resource" : {
"kinds" : [
"Deployment"
] ,
"name" : "nginx-*"
} ,
"mutate" : {
"patches" : [
{
"path" : "/metadata/labels/isMutated" ,
"op" : "add" ,
"value" : "true"
} ,
{
"path" : "/metadata/labels/app" ,
"op" : "replace" ,
"value" : "nginx_is_mutated"
}
]
} ,
"validate" : {
"message" : "replicas number is wrong" ,
"pattern" : {
"metadata" : {
"labels" : {
"app" : "*"
}
} ,
"spec" : {
"replicas" : 3
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "nginx-deployment" ,
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"replicas" : 3 ,
"selector" : {
"matchLabels" : {
"app" : "nginx"
}
} ,
"template" : {
"metadata" : {
"labels" : {
"app" : "nginx"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx:1.7.9" ,
"ports" : [
{
"containerPort" : 80
}
]
}
]
}
}
}
}
` )
2019-05-20 17:07:09 +03:00
2019-09-03 15:02:00 -07:00
var policy kyverno . ClusterPolicy
2019-05-20 17:07:09 +03:00
json . Unmarshal ( rawPolicy , & policy )
2019-08-15 15:23:54 -07:00
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-08-30 01:08:54 -07:00
assert . Assert ( t , len ( er . PolicyResponse . Rules ) == 0 )
2019-05-20 17:07:09 +03:00
}
2019-09-05 12:44:38 -07:00
2019-09-25 15:12:33 -07:00
func TestValidate_image_tag_fail ( t * testing . T ) {
// If image tag is latest then imagepull policy needs to be checked
2019-09-05 12:44:38 -07:00
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-image"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-tag" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "An image tag is required" ,
"pattern" : {
"spec" : {
"containers" : [
{
"image" : "*:*"
}
]
}
}
}
} ,
{
"name" : "validate-latest" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "imagePullPolicy 'Always' required with tag 'latest'" ,
"pattern" : {
"spec" : {
"containers" : [
{
2019-09-26 11:00:30 -07:00
"(image)" : "*latest" ,
2019-09-25 15:12:33 -07:00
"imagePullPolicy" : "NotPresent"
2019-09-05 12:44:38 -07:00
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "myapp"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
2019-09-25 15:12:33 -07:00
"image" : "nginx:latest" ,
"imagePullPolicy" : "Always"
2019-09-05 12:44:38 -07:00
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-10-01 12:35:14 -07:00
msgs := [ ] string {
2019-11-04 20:15:44 -08:00
"Validation rule 'validate-tag' succeeded." ,
2019-11-07 12:30:58 -08:00
"Validation error: imagePullPolicy 'Always' required with tag 'latest'\nValidation rule 'validate-latest' failed at path '/spec/containers/0/imagePullPolicy/'." ,
2019-10-01 12:35:14 -07:00
}
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-10-01 12:35:14 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
2019-09-05 12:44:38 -07:00
assert . Assert ( t , ! er . IsSuccesful ( ) )
}
2019-09-25 15:12:33 -07:00
func TestValidate_image_tag_pass ( t * testing . T ) {
// If image tag is latest then imagepull policy needs to be checked
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-image"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-tag" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "An image tag is required" ,
"pattern" : {
"spec" : {
"containers" : [
{
"image" : "*:*"
}
]
}
}
}
} ,
{
"name" : "validate-latest" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "imagePullPolicy 'Always' required with tag 'latest'" ,
"pattern" : {
"spec" : {
"containers" : [
{
2019-09-26 11:00:30 -07:00
"(image)" : "*latest" ,
2019-09-25 15:12:33 -07:00
"imagePullPolicy" : "Always"
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "myapp"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx:latest" ,
"imagePullPolicy" : "Always"
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-10-01 12:35:14 -07:00
msgs := [ ] string {
2019-11-04 20:15:44 -08:00
"Validation rule 'validate-tag' succeeded." ,
"Validation rule 'validate-latest' succeeded." ,
2019-10-01 12:35:14 -07:00
}
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-10-01 12:35:14 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
2019-09-25 15:12:33 -07:00
assert . Assert ( t , er . IsSuccesful ( ) )
}
2019-09-05 12:44:38 -07:00
func TestValidate_Fail_anyPattern ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-namespace"
} ,
"spec" : {
"rules" : [
{
"name" : "check-default-namespace" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "A namespace is required" ,
"anyPattern" : [
{
"metadata" : {
"namespace" : "?*"
}
} ,
{
"metadata" : {
"namespace" : "!default"
}
}
]
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "myapp"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-07 12:30:58 -08:00
msgs := [ ] string { "Validation error: A namespace is required\nValidation rule check-default-namespace anyPattern[0] failed at path /metadata/namespace/.\nValidation rule check-default-namespace anyPattern[1] failed at path /metadata/namespace/." }
2019-09-05 12:44:38 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
assert . Assert ( t , ! er . IsSuccesful ( ) )
}
2019-09-09 16:08:15 -07:00
func TestValidate_host_network_port ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-network-port"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-network-port" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host network and port are not allowed" ,
"pattern" : {
"spec" : {
"hostNetwork" : false ,
"containers" : [
{
"name" : "*" ,
"ports" : [
{
"hostPort" : null
}
]
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "nginx-host-network"
} ,
"spec" : {
"hostNetwork" : false ,
"containers" : [
{
"name" : "nginx-host-network" ,
"image" : "nginx" ,
"ports" : [
{
"containerPort" : 80 ,
"hostPort" : 80
}
]
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-07 12:30:58 -08:00
msgs := [ ] string { "Validation error: Host network and port are not allowed\nValidation rule 'validate-host-network-port' failed at path '/spec/containers/0/ports/0/hostPort/'." }
2019-09-09 16:08:15 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
assert . Assert ( t , ! er . IsSuccesful ( ) )
}
2019-09-25 15:12:33 -07:00
func TestValidate_anchor_arraymap_pass ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-path"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-path" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host path '/var/lib/' is not allowed" ,
"pattern" : {
"spec" : {
"volumes" : [
{
"name" : "*" ,
2019-10-01 13:08:34 -07:00
"=(hostPath)" : {
2019-09-25 15:12:33 -07:00
"path" : "!/var/lib"
}
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "image-with-hostpath" ,
"labels" : {
"app.type" : "prod" ,
"namespace" : "my-namespace"
}
} ,
"spec" : {
"containers" : [
{
"name" : "image-with-hostpath" ,
"image" : "docker.io/nautiker/curl" ,
"volumeMounts" : [
{
"name" : "var-lib-etcd" ,
"mountPath" : "/var/lib"
}
]
}
] ,
"volumes" : [
{
"name" : "var-lib-etcd" ,
"hostPath" : {
"path" : "/var/lib1"
}
}
]
}
} ` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-04 20:15:44 -08:00
msgs := [ ] string { "Validation rule 'validate-host-path' succeeded." }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
assert . Assert ( t , er . IsSuccesful ( ) )
}
func TestValidate_anchor_arraymap_fail ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-path"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-path" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host path '/var/lib/' is not allowed" ,
"pattern" : {
"spec" : {
"volumes" : [
{
2019-10-01 13:08:34 -07:00
"=(hostPath)" : {
2019-09-25 15:12:33 -07:00
"path" : "!/var/lib"
}
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "image-with-hostpath" ,
"labels" : {
"app.type" : "prod" ,
"namespace" : "my-namespace"
}
} ,
"spec" : {
"containers" : [
{
"name" : "image-with-hostpath" ,
"image" : "docker.io/nautiker/curl" ,
"volumeMounts" : [
{
"name" : "var-lib-etcd" ,
"mountPath" : "/var/lib"
}
]
}
] ,
"volumes" : [
{
"name" : "var-lib-etcd" ,
"hostPath" : {
"path" : "/var/lib"
}
}
]
}
} ` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-07 12:30:58 -08:00
msgs := [ ] string { "Validation error: Host path '/var/lib/' is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/path/'." }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
assert . Assert ( t , ! er . IsSuccesful ( ) )
}
func TestValidate_anchor_map_notfound ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod rule 2" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "pod: validate run as non root user" ,
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(securityContext)" : {
2019-09-25 15:12:33 -07:00
"runAsNonRoot" : true
}
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-04 20:15:44 -08:00
msgs := [ ] string { "Validation rule 'pod rule 2' succeeded." }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
assert . Assert ( t , er . IsSuccesful ( ) )
}
func TestValidate_anchor_map_found_valid ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod rule 2" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "pod: validate run as non root user" ,
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(securityContext)" : {
2019-09-25 15:12:33 -07:00
"runAsNonRoot" : true
}
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
] ,
"securityContext" : {
"runAsNonRoot" : true
}
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-04 20:15:44 -08:00
msgs := [ ] string { "Validation rule 'pod rule 2' succeeded." }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
assert . Assert ( t , er . IsSuccesful ( ) )
}
func TestValidate_anchor_map_found_invalid ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod rule 2" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "pod: validate run as non root user" ,
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(securityContext)" : {
2019-09-25 15:12:33 -07:00
"runAsNonRoot" : true
}
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
] ,
"securityContext" : {
"runAsNonRoot" : false
}
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-07 12:30:58 -08:00
msgs := [ ] string { "Validation error: pod: validate run as non root user\nValidation rule 'pod rule 2' failed at path '/spec/securityContext/runAsNonRoot/'." }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
assert . Assert ( t , ! er . IsSuccesful ( ) )
}
2019-09-25 21:01:45 -07:00
func TestValidate_AnchorList_pass ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod image rule" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(containers)" : [
2019-09-25 21:01:45 -07:00
{
"name" : "nginx"
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx"
} ,
{
"name" : "nginx"
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-04 20:15:44 -08:00
msgs := [ ] string { "Validation rule 'pod image rule' succeeded." }
2019-09-25 21:01:45 -07:00
2019-10-01 12:35:14 -07:00
for index , r := range er . PolicyResponse . Rules {
t . Log ( r . Message )
assert . Equal ( t , r . Message , msgs [ index ] )
}
2019-09-26 11:00:30 -07:00
assert . Assert ( t , er . IsSuccesful ( ) )
2019-09-25 21:01:45 -07:00
}
func TestValidate_AnchorList_fail ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod image rule" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(containers)" : [
2019-09-25 21:01:45 -07:00
{
"name" : "nginx"
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx"
} ,
{
"name" : "busy"
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-09-26 11:00:30 -07:00
// msgs := []string{"Validation rule 'pod image rule' failed at '/spec/containers/1/name/' for resource Pod//myapp-pod."}
// for index, r := range er.PolicyResponse.Rules {
2019-10-01 12:35:14 -07:00
// // t.Log(r.Message)
2019-09-26 11:00:30 -07:00
// assert.Equal(t, r.Message, msgs[index])
// }
2019-09-25 21:01:45 -07:00
assert . Assert ( t , ! er . IsSuccesful ( ) )
}
func TestValidate_existenceAnchor_fail ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod image rule" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
"^(containers)" : [
{
"name" : "nginx"
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "busy1"
} ,
{
"name" : "busy"
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-10-01 12:35:14 -07:00
// msgs := []string{"Validation rule 'pod image rule' failed at '/spec/containers/' for resource Pod//myapp-pod."}
2019-09-25 21:01:45 -07:00
2019-09-26 11:00:30 -07:00
// for index, r := range er.PolicyResponse.Rules {
2019-10-01 12:35:14 -07:00
// t.Log(r.Message)
2019-09-26 11:00:30 -07:00
// assert.Equal(t, r.Message, msgs[index])
// }
2019-09-25 21:01:45 -07:00
assert . Assert ( t , ! er . IsSuccesful ( ) )
}
func TestValidate_existenceAnchor_pass ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod image rule" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
"^(containers)" : [
{
"name" : "nginx"
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx"
} ,
{
"name" : "busy"
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-04 20:15:44 -08:00
msgs := [ ] string { "Validation rule 'pod image rule' succeeded." }
2019-09-25 21:01:45 -07:00
2019-10-01 12:35:14 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
2019-09-26 11:00:30 -07:00
assert . Assert ( t , er . IsSuccesful ( ) )
2019-09-25 21:01:45 -07:00
}
2019-10-10 17:34:20 -07:00
func TestValidate_negationAnchor_deny ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-path"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-path" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host path is not allowed" ,
"pattern" : {
"spec" : {
"volumes" : [
{
"name" : "*" ,
"X(hostPath)" : null
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "image-with-hostpath" ,
"labels" : {
"app.type" : "prod" ,
"namespace" : "my-namespace"
}
} ,
"spec" : {
"containers" : [
{
"name" : "image-with-hostpath" ,
"image" : "docker.io/nautiker/curl" ,
"volumeMounts" : [
{
"name" : "var-lib-etcd" ,
"mountPath" : "/var/lib"
}
]
}
] ,
"volumes" : [
{
"name" : "var-lib-etcd" ,
"hostPath" : {
"path" : "/var/lib1"
}
}
]
}
} ` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-07 12:30:58 -08:00
msgs := [ ] string { "Validation error: Host path is not allowed\nValidation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/'." }
2019-10-10 17:34:20 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
assert . Assert ( t , ! er . IsSuccesful ( ) )
}
func TestValidate_negationAnchor_pass ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1alpha1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-path"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-path" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host path is not allowed" ,
"pattern" : {
"spec" : {
"volumes" : [
{
"name" : "*" ,
"X(hostPath)" : null
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "image-with-hostpath" ,
"labels" : {
"app.type" : "prod" ,
"namespace" : "my-namespace"
}
} ,
"spec" : {
"containers" : [
{
"name" : "image-with-hostpath" ,
"image" : "docker.io/nautiker/curl" ,
"volumeMounts" : [
{
"name" : "var-lib-etcd" ,
"mountPath" : "/var/lib"
}
]
}
] ,
"volumes" : [
{
"name" : "var-lib-etcd" ,
"emptyDir" : { }
}
]
}
}
` )
var policy kyverno . ClusterPolicy
json . Unmarshal ( rawPolicy , & policy )
resourceUnstructured , err := ConvertToUnstructured ( rawResource )
assert . NilError ( t , err )
2019-11-08 18:57:27 -08:00
er := Validate ( PolicyContext { Policy : policy , Resource : * resourceUnstructured } )
2019-11-04 20:15:44 -08:00
msgs := [ ] string { "Validation rule 'validate-host-path' succeeded." }
2019-10-10 17:34:20 -07:00
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message , msgs [ index ] )
}
assert . Assert ( t , er . IsSuccesful ( ) )
}
