kyverno/pkg/policycache/cache_test.go

package policycache

import (
	"encoding/json"
	"testing"

	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
	"gotest.tools/assert"
	"sigs.k8s.io/controller-runtime/pkg/log"
)

func Test_All(t *testing.T) {
	pCache := newPolicyCache(log.Log)
	policy := newPolicy(t)

	// add
	pCache.Add(policy)

	// get
	if len(pCache.Get(Mutate, nil)) != 1 {
		t.Errorf("expected 1 mutate policy, found %v", len(pCache.Get(Mutate, nil)))
	}

	if len(pCache.Get(ValidateEnforce, nil)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))
	}

	if len(pCache.Get(Generate, nil)) != 1 {
		t.Errorf("expected 1 generate policy, found %v", len(pCache.Get(Generate, nil)))
	}

	// remove
	pCache.Remove(policy)
	assert.Assert(t, len(pCache.Get(ValidateEnforce, nil)) == 0)
}

func Test_Add_Duplicate_Policy(t *testing.T) {
	pCache := newPolicyCache(log.Log)
	policy := newPolicy(t)

	pCache.Add(policy)
	pCache.Add(policy)
	pCache.Add(policy)

	if len(pCache.Get(Mutate, nil)) != 1 {
		t.Errorf("expected 1 mutate policy, found %v", len(pCache.Get(Mutate, nil)))
	}

	if len(pCache.Get(ValidateEnforce, nil)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))
	}

	if len(pCache.Get(Generate, nil)) != 1 {
		t.Errorf("expected 1 generate policy, found %v", len(pCache.Get(Generate, nil)))
	}
}

func Test_Add_Validate_Audit(t *testing.T) {
	pCache := newPolicyCache(log.Log)
	policy := newPolicy(t)

	pCache.Add(policy)
	pCache.Add(policy)

	policy.Spec.ValidationFailureAction = "audit"
	pCache.Add(policy)
	pCache.Add(policy)

	if len(pCache.Get(ValidateEnforce, nil)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))
	}

	if len(pCache.Get(ValidateAudit, nil)) != 1 {
		t.Errorf("expected 1 validate audit policy, found %v", len(pCache.Get(ValidateAudit, nil)))
	}
}

func Test_Add_Remove(t *testing.T) {
	pCache := newPolicyCache(log.Log)
	policy := newPolicy(t)

	pCache.Add(policy)
	if len(pCache.Get(ValidateEnforce, nil)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))
	}

	pCache.Remove(policy)
	if len(pCache.Get(ValidateEnforce, nil)) != 0 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))
	}

	pCache.Add(policy)
	if len(pCache.Get(ValidateEnforce, nil)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))
	}
}

func Test_Remove_From_Empty_Cache(t *testing.T) {
	pCache := newPolicyCache(log.Log)
	policy := newPolicy(t)

	pCache.Remove(policy)
}

func newPolicy(t *testing.T) *kyverno.ClusterPolicy {
	rawPolicy := []byte(`{
		"metadata": {
		  "name": "test-policy"
		},
		"spec": {
		  "validationFailureAction": "enforce",
		  "rules": [
			{
			  "name": "deny-privileged-disallowpriviligedescalation",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "validate": {
				"deny": {
				  "conditions": [
					{
					  "key": "a",
					  "operator": "Equals",
					  "value": "a"
					}
				  ]
				}
			  }
			},
			{
			  "name": "deny-privileged-disallowpriviligedescalation",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "validate": {
				"pattern": {
				  "spec": {
					"containers": [
					  {
						"image": "!*:latest"
					  }
					]
				  }
				}
			  }
			},
			{
			  "name": "annotate-host-path",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "mutate": {
				"overlay": {
				  "metadata": {
					"annotations": {
					  "+(cluster-autoscaler.kubernetes.io/safe-to-evict)": true
					}
				  }
				}
			  }
			},
			{
			  "name": "default-deny-ingress",
			  "match": {
				"resources": {
				  "kinds": [
					"Namespace"
				  ]
				}
			  },
			  "generate": {
				"kind": "NetworkPolicy",
				"name": "default-deny-ingress",
				"namespace": "{{request.object.metadata.name}}",
				"data": {
				  "spec": {
					"podSelector": {
					},
					"policyTypes": [
					  "Ingress"
					]
				  }
				}
			  }
			}
		  ]
		}
	  }`)

	var policy *kyverno.ClusterPolicy
	err := json.Unmarshal(rawPolicy, &policy)
	assert.NilError(t, err)

	return policy
}

func newNsPolicy(t *testing.T) *kyverno.ClusterPolicy {
	rawPolicy := []byte(`{
		"metadata": {
		  "name": "test-policy",
		  "namespace": "test"
		},
		"spec": {
		  "validationFailureAction": "enforce",
		  "rules": [
			{
			  "name": "deny-privileged-disallowpriviligedescalation",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "validate": {
				"deny": {
				  "conditions": [
					{
					  "key": "a",
					  "operator": "Equals",
					  "value": "a"
					}
				  ]
				}
			  }
			},
			{
			  "name": "deny-privileged-disallowpriviligedescalation",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "validate": {
				"pattern": {
				  "spec": {
					"containers": [
					  {
						"image": "!*:latest"
					  }
					]
				  }
				}
			  }
			},
			{
			  "name": "annotate-host-path",
			  "match": {
				"resources": {
				  "kinds": [
					"Pod"
				  ]
				}
			  },
			  "mutate": {
				"overlay": {
				  "metadata": {
					"annotations": {
					  "+(cluster-autoscaler.kubernetes.io/safe-to-evict)": true
					}
				  }
				}
			  }
			},
			{
			  "name": "default-deny-ingress",
			  "match": {
				"resources": {
				  "kinds": [
					"Namespace"
				  ]
				}
			  },
			  "generate": {
				"kind": "NetworkPolicy",
				"name": "default-deny-ingress",
				"namespace": "{{request.object.metadata.name}}",
				"data": {
				  "spec": {
					"podSelector": {
					},
					"policyTypes": [
					  "Ingress"
					]
				  }
				}
			  }
			}
		  ]
		}
	  }`)

	var policy *kyverno.Policy
	err := json.Unmarshal(rawPolicy, &policy)
	assert.NilError(t, err)

	return convertPolicyToClusterPolicy(policy)
}

func Test_Ns_All(t *testing.T) {
	pCache := newPolicyCache(log.Log)
	policy := newNsPolicy(t)

	// add
	pCache.Add(policy)
	nspace := policy.GetNamespace()
	// get
	if len(pCache.Get(Mutate, &nspace)) != 1 {
		t.Errorf("expected 1 mutate policy, found %v", len(pCache.Get(Mutate, &nspace)))
	}

	if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))
	}

	if len(pCache.Get(Generate, &nspace)) != 1 {
		t.Errorf("expected 1 generate policy, found %v", len(pCache.Get(Generate, &nspace)))
	}

	// remove
	pCache.Remove(policy)
	assert.Assert(t, len(pCache.Get(ValidateEnforce, &nspace)) == 0)
}

func Test_Ns_Add_Duplicate_Policy(t *testing.T) {
	pCache := newPolicyCache(log.Log)
	policy := newNsPolicy(t)

	pCache.Add(policy)
	pCache.Add(policy)
	pCache.Add(policy)
	nspace := policy.GetNamespace()
	if len(pCache.Get(Mutate, &nspace)) != 1 {
		t.Errorf("expected 1 mutate policy, found %v", len(pCache.Get(Mutate, &nspace)))
	}

	if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))
	}

	if len(pCache.Get(Generate, &nspace)) != 1 {
		t.Errorf("expected 1 generate policy, found %v", len(pCache.Get(Generate, &nspace)))
	}
}

func Test_Ns_Add_Validate_Audit(t *testing.T) {
	pCache := newPolicyCache(log.Log)
	policy := newNsPolicy(t)
	nspace := policy.GetNamespace()

	pCache.Add(policy)
	pCache.Add(policy)

	policy.Spec.ValidationFailureAction = "audit"
	pCache.Add(policy)
	pCache.Add(policy)

	if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))
	}

	if len(pCache.Get(ValidateAudit, &nspace)) != 1 {
		t.Errorf("expected 1 validate audit policy, found %v", len(pCache.Get(ValidateAudit, &nspace)))
	}
}

func Test_Ns_Add_Remove(t *testing.T) {
	pCache := newPolicyCache(log.Log)
	policy := newNsPolicy(t)

	pCache.Add(policy)
	nspace := policy.GetNamespace()
	if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))
	}

	pCache.Remove(policy)
	if len(pCache.Get(ValidateEnforce, &nspace)) != 0 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))
	}

	pCache.Add(policy)
	if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {
		t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))
	}
}
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`package policycache`

			`import (`
			`"encoding/json"`
			`"testing"`

update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00			`kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`"gotest.tools/assert"`
			`"sigs.k8s.io/controller-runtime/pkg/log"`
			`)`

			`func Test_All(t *testing.T) {`
			`pCache := newPolicyCache(log.Log)`
			`policy := newPolicy(t)`

			`// add`
			`pCache.Add(policy)`

			`// get`
Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(Mutate, nil)) != 1 {`
			`t.Errorf("expected 1 mutate policy, found %v", len(pCache.Get(Mutate, nil)))`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`}`

Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(ValidateEnforce, nil)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`}`

Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(Generate, nil)) != 1 {`
			`t.Errorf("expected 1 generate policy, found %v", len(pCache.Get(Generate, nil)))`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`}`

			`// remove`
			`pCache.Remove(policy)`
Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`assert.Assert(t, len(pCache.Get(ValidateEnforce, nil)) == 0)`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`}`

			`func Test_Add_Duplicate_Policy(t *testing.T) {`
			`pCache := newPolicyCache(log.Log)`
			`policy := newPolicy(t)`

			`pCache.Add(policy)`
			`pCache.Add(policy)`
			`pCache.Add(policy)`

Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(Mutate, nil)) != 1 {`
			`t.Errorf("expected 1 mutate policy, found %v", len(pCache.Get(Mutate, nil)))`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`}`

Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(ValidateEnforce, nil)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`}`

Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(Generate, nil)) != 1 {`
			`t.Errorf("expected 1 generate policy, found %v", len(pCache.Get(Generate, nil)))`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`}`
			`}`

965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments 2020-07-09 11:48:34 -07:00			`func Test_Add_Validate_Audit(t *testing.T) {`
			`pCache := newPolicyCache(log.Log)`
			`policy := newPolicy(t)`

			`pCache.Add(policy)`
			`pCache.Add(policy)`

			`policy.Spec.ValidationFailureAction = "audit"`
			`pCache.Add(policy)`
			`pCache.Add(policy)`

Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(ValidateEnforce, nil)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))`
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments 2020-07-09 11:48:34 -07:00			`}`

Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(ValidateAudit, nil)) != 1 {`
			`t.Errorf("expected 1 validate audit policy, found %v", len(pCache.Get(ValidateAudit, nil)))`
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments 2020-07-09 11:48:34 -07:00			`}`
			`}`

remove policy name cache entry on policy DELETE (#986) 2020-07-13 20:29:39 -07:00			`func Test_Add_Remove(t *testing.T) {`
			`pCache := newPolicyCache(log.Log)`
			`policy := newPolicy(t)`

			`pCache.Add(policy)`
Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(ValidateEnforce, nil)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))`
remove policy name cache entry on policy DELETE (#986) 2020-07-13 20:29:39 -07:00			`}`

			`pCache.Remove(policy)`
Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(ValidateEnforce, nil)) != 0 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))`
remove policy name cache entry on policy DELETE (#986) 2020-07-13 20:29:39 -07:00			`}`

			`pCache.Add(policy)`
Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30			`if len(pCache.Get(ValidateEnforce, nil)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, nil)))`
remove policy name cache entry on policy DELETE (#986) 2020-07-13 20:29:39 -07:00			`}`
			`}`

Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`func Test_Remove_From_Empty_Cache(t *testing.T) {`
			`pCache := newPolicyCache(log.Log)`
			`policy := newPolicy(t)`

			`pCache.Remove(policy)`
			`}`

			`func newPolicy(t testing.T) kyverno.ClusterPolicy {`
			rawPolicy := []byte(`{
remove policy name cache entry on policy DELETE (#986) 2020-07-13 20:29:39 -07:00			`"metadata": {`
			`"name": "test-policy"`
			`},`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`"spec": {`
			`"validationFailureAction": "enforce",`
			`"rules": [`
			`{`
			`"name": "deny-privileged-disallowpriviligedescalation",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Pod"`
			`]`
			`}`
			`},`
			`"validate": {`
			`"deny": {`
			`"conditions": [`
			`{`
			`"key": "a",`
			`"operator": "Equals",`
			`"value": "a"`
			`}`
			`]`
			`}`
			`}`
			`},`
			`{`
			`"name": "deny-privileged-disallowpriviligedescalation",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Pod"`
			`]`
			`}`
			`},`
			`"validate": {`
			`"pattern": {`
			`"spec": {`
			`"containers": [`
			`{`
			`"image": "!*:latest"`
			`}`
			`]`
			`}`
			`}`
			`}`
			`},`
			`{`
			`"name": "annotate-host-path",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Pod"`
			`]`
			`}`
			`},`
			`"mutate": {`
			`"overlay": {`
			`"metadata": {`
			`"annotations": {`
			`"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": true`
			`}`
			`}`
			`}`
			`}`
			`},`
			`{`
			`"name": "default-deny-ingress",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Namespace"`
			`]`
			`}`
			`},`
			`"generate": {`
			`"kind": "NetworkPolicy",`
			`"name": "default-deny-ingress",`
			`"namespace": "{{request.object.metadata.name}}",`
			`"data": {`
			`"spec": {`
			`"podSelector": {`
			`},`
			`"policyTypes": [`
			`"Ingress"`
			`]`
			`}`
			`}`
			`}`
			`}`
			`]`
			`}`
			}`)

			`var policy *kyverno.ClusterPolicy`
			`err := json.Unmarshal(rawPolicy, &policy)`
			`assert.NilError(t, err)`

			`return policy`
			`}`
Feature/namespaced policy 280 (#1058) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole 2020-08-19 21:37:23 +05:30
			`func newNsPolicy(t testing.T) kyverno.ClusterPolicy {`
			rawPolicy := []byte(`{
			`"metadata": {`
			`"name": "test-policy",`
			`"namespace": "test"`
			`},`
			`"spec": {`
			`"validationFailureAction": "enforce",`
			`"rules": [`
			`{`
			`"name": "deny-privileged-disallowpriviligedescalation",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Pod"`
			`]`
			`}`
			`},`
			`"validate": {`
			`"deny": {`
			`"conditions": [`
			`{`
			`"key": "a",`
			`"operator": "Equals",`
			`"value": "a"`
			`}`
			`]`
			`}`
			`}`
			`},`
			`{`
			`"name": "deny-privileged-disallowpriviligedescalation",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Pod"`
			`]`
			`}`
			`},`
			`"validate": {`
			`"pattern": {`
			`"spec": {`
			`"containers": [`
			`{`
			`"image": "!*:latest"`
			`}`
			`]`
			`}`
			`}`
			`}`
			`},`
			`{`
			`"name": "annotate-host-path",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Pod"`
			`]`
			`}`
			`},`
			`"mutate": {`
			`"overlay": {`
			`"metadata": {`
			`"annotations": {`
			`"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": true`
			`}`
			`}`
			`}`
			`}`
			`},`
			`{`
			`"name": "default-deny-ingress",`
			`"match": {`
			`"resources": {`
			`"kinds": [`
			`"Namespace"`
			`]`
			`}`
			`},`
			`"generate": {`
			`"kind": "NetworkPolicy",`
			`"name": "default-deny-ingress",`
			`"namespace": "{{request.object.metadata.name}}",`
			`"data": {`
			`"spec": {`
			`"podSelector": {`
			`},`
			`"policyTypes": [`
			`"Ingress"`
			`]`
			`}`
			`}`
			`}`
			`}`
			`]`
			`}`
			}`)

			`var policy *kyverno.Policy`
			`err := json.Unmarshal(rawPolicy, &policy)`
			`assert.NilError(t, err)`

			`return convertPolicyToClusterPolicy(policy)`
			`}`

			`func Test_Ns_All(t *testing.T) {`
			`pCache := newPolicyCache(log.Log)`
			`policy := newNsPolicy(t)`

			`// add`
			`pCache.Add(policy)`
			`nspace := policy.GetNamespace()`
			`// get`
			`if len(pCache.Get(Mutate, &nspace)) != 1 {`
			`t.Errorf("expected 1 mutate policy, found %v", len(pCache.Get(Mutate, &nspace)))`
			`}`

			`if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))`
			`}`

			`if len(pCache.Get(Generate, &nspace)) != 1 {`
			`t.Errorf("expected 1 generate policy, found %v", len(pCache.Get(Generate, &nspace)))`
			`}`

			`// remove`
			`pCache.Remove(policy)`
			`assert.Assert(t, len(pCache.Get(ValidateEnforce, &nspace)) == 0)`
			`}`

			`func Test_Ns_Add_Duplicate_Policy(t *testing.T) {`
			`pCache := newPolicyCache(log.Log)`
			`policy := newNsPolicy(t)`

			`pCache.Add(policy)`
			`pCache.Add(policy)`
			`pCache.Add(policy)`
			`nspace := policy.GetNamespace()`
			`if len(pCache.Get(Mutate, &nspace)) != 1 {`
			`t.Errorf("expected 1 mutate policy, found %v", len(pCache.Get(Mutate, &nspace)))`
			`}`

			`if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))`
			`}`

			`if len(pCache.Get(Generate, &nspace)) != 1 {`
			`t.Errorf("expected 1 generate policy, found %v", len(pCache.Get(Generate, &nspace)))`
			`}`
			`}`

			`func Test_Ns_Add_Validate_Audit(t *testing.T) {`
			`pCache := newPolicyCache(log.Log)`
			`policy := newNsPolicy(t)`
			`nspace := policy.GetNamespace()`

			`pCache.Add(policy)`
			`pCache.Add(policy)`

			`policy.Spec.ValidationFailureAction = "audit"`
			`pCache.Add(policy)`
			`pCache.Add(policy)`

			`if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))`
			`}`

			`if len(pCache.Get(ValidateAudit, &nspace)) != 1 {`
			`t.Errorf("expected 1 validate audit policy, found %v", len(pCache.Get(ValidateAudit, &nspace)))`
			`}`
			`}`

			`func Test_Ns_Add_Remove(t *testing.T) {`
			`pCache := newPolicyCache(log.Log)`
			`policy := newNsPolicy(t)`

			`pCache.Add(policy)`
			`nspace := policy.GetNamespace()`
			`if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))`
			`}`

			`pCache.Remove(policy)`
			`if len(pCache.Get(ValidateEnforce, &nspace)) != 0 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))`
			`}`

			`pCache.Add(policy)`
			`if len(pCache.Get(ValidateEnforce, &nspace)) != 1 {`
			`t.Errorf("expected 1 validate enforce policy, found %v", len(pCache.Get(ValidateEnforce, &nspace)))`
			`}`
			`}`