kyverno/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/chainsaw-test.yaml

apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
  creationTimestamp: null
  name: invalid-pod-security-exceptions
spec:
  steps:
  - name: Apply the first policy exception
    try:
    - script:
        content: kubectl apply -f exception-1.yaml
        check:
          ($error != null): true
          # This check ensures the contents of stderr are exactly as shown.  
          ($stderr): |-
            Error from server: error when creating "exception-1.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: [spec.podSecurity[0].controlName: Invalid value: "Capabilities": exclude.images must be specified for the container level control, spec.podSecurity[3].controlName: Invalid value: "Privilege Escalation": exclude.images must be specified for the container level control]
  - name: Apply the second policy exception
    try:
    - script:
        content: kubectl apply -f exception-2.yaml
        check:
          ($error != null): true
          # This check ensures the contents of stderr are exactly as shown.  
          ($stderr): |-
            Error from server: error when creating "exception-2.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.podSecurity[0].values: Forbidden: values is required
  - name: Apply the third policy exception
    try:
    - script:
        content: kubectl apply -f exception-3.yaml
        check:
          ($error != null): true
          # This check ensures the contents of stderr are exactly as shown.  
          ($stderr): |-
            Error from server: error when creating "exception-3.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.podSecurity[0].restrictedField: Forbidden: restrictedField is required
fix: add podSecurity validation checks for exceptions (#9817) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2024-02-28 10:21:10 +02:00			`apiVersion: chainsaw.kyverno.io/v1alpha1`
			`kind: Test`
			`metadata:`
			`creationTimestamp: null`
			`name: invalid-pod-security-exceptions`
			`spec:`
			`steps:`
			`- name: Apply the first policy exception`
			`try:`
			`- script:`
			`content: kubectl apply -f exception-1.yaml`
			`check:`
			`($error != null): true`
			`# This check ensures the contents of stderr are exactly as shown.`
			`($stderr): \|-`
			`Error from server: error when creating "exception-1.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: [spec.podSecurity[0].controlName: Invalid value: "Capabilities": exclude.images must be specified for the container level control, spec.podSecurity[3].controlName: Invalid value: "Privilege Escalation": exclude.images must be specified for the container level control]`
			`- name: Apply the second policy exception`
			`try:`
			`- script:`
			`content: kubectl apply -f exception-2.yaml`
			`check:`
			`($error != null): true`
			`# This check ensures the contents of stderr are exactly as shown.`
			`($stderr): \|-`
			`Error from server: error when creating "exception-2.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.podSecurity[0].values: Forbidden: values is required`
			`- name: Apply the third policy exception`
			`try:`
			`- script:`
			`content: kubectl apply -f exception-3.yaml`
			`check:`
			`($error != null): true`
			`# This check ensures the contents of stderr are exactly as shown.`
			`($stderr): \|-`
			`Error from server: error when creating "exception-3.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.podSecurity[0].restrictedField: Forbidden: restrictedField is required`