mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 09:26:54 +00:00
Code Activity
kyverno/pkg/cel/autogen/autogen_test.go

285 lines
7.6 KiB
Go
Raw Normal View History

feat: add autogen package for ValidatingPolicies (#11996) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-27 14:36:11 +02:00
package autogen
import (
"encoding/json"
"fmt"
"testing"
chore: move celexceptions to the new group (#12143) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-02-11 19:05:22 +02:00
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
feat: add autogen package for ValidatingPolicies (#11996) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-27 14:36:11 +02:00
"gotest.tools/assert"
"k8s.io/apimachinery/pkg/util/sets"
)
func Test_CanAutoGen(t *testing.T) {
testCases := []struct {
name string
policy []byte
expectedControllers sets.Set[string]
}{
{
name: "policy-with-match-name",
policy: []byte(`{
chore: move celexceptions to the new group (#12143) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-02-11 19:05:22 +02:00
"apiVersion": "policies.kyverno.io/v1alpha1",
feat: add autogen package for ValidatingPolicies (#11996) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-27 14:36:11 +02:00
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
},
"spec": {
"matchConstraints": {
"resourceRules": [
{
"apiGroups": [
""
],
"apiVersions": [
"v1"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"pods"
],
"resourceNames": [
"test-pod"
]
}
]
},
"variables": [
{
"name": "environment",
"expression": "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'"
}
],
"validations": [
{
"expression": "variables.environment == true",
"message": "Pod labels must be env=prod"
}
]
}
}`),
expectedControllers: sets.New("none"),
},
{
name: "policy-with-match-object-selector",
policy: []byte(`{
chore: move celexceptions to the new group (#12143) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-02-11 19:05:22 +02:00
"apiVersion": "policies.kyverno.io/v1alpha1",
feat: add autogen package for ValidatingPolicies (#11996) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-27 14:36:11 +02:00
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
},
"spec": {
"matchConstraints": {
"resourceRules": [
{
"apiGroups": [
""
],
"apiVersions": [
"v1"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"pods"
]
}
],
"objectSelector": {
"matchLabels": {
"app": "nginx"
}
}
},
"variables": [
{
"name": "environment",
"expression": "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'"
}
],
"validations": [
{
"expression": "variables.environment == true",
"message": "Pod labels must be env=prod"
}
]
}
}`),
expectedControllers: sets.New("none"),
},
{
name: "policy-with-match-namespace-selector",
policy: []byte(`{
chore: move celexceptions to the new group (#12143) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-02-11 19:05:22 +02:00
"apiVersion": "policies.kyverno.io/v1alpha1",
feat: add autogen package for ValidatingPolicies (#11996) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-27 14:36:11 +02:00
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
},
"spec": {
"matchConstraints": {
"resourceRules": [
{
"apiGroups": [
""
],
"apiVersions": [
"v1"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"pods"
]
}
],
"namespaceSelector": {
"matchLabels": {
"app": "nginx"
}
}
},
"variables": [
{
"name": "environment",
"expression": "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'"
}
],
"validations": [
{
"expression": "variables.environment == true",
"message": "Pod labels must be env=prod"
}
]
}
}`),
expectedControllers: sets.New("none"),
},
{
name: "policy-with-match-mixed-kinds-pod-podcontrollers",
policy: []byte(`{
chore: move celexceptions to the new group (#12143) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-02-11 19:05:22 +02:00
"apiVersion": "policies.kyverno.io/v1alpha1",
feat: add autogen package for ValidatingPolicies (#11996) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-27 14:36:11 +02:00
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
},
"spec": {
"matchConstraints": {
"resourceRules": [
{
"apiGroups": [
""
],
"apiVersions": [
"v1"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"pods"
]
},
{
"apiGroups": [
"apps"
],
"apiVersions": [
"v1"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"deployments"
]
}
]
},
"variables": [
{
"name": "environment",
"expression": "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'"
}
],
"validations": [
{
"expression": "variables.environment == true",
"message": "Pod labels must be env=prod"
}
]
}
}`),
expectedControllers: sets.New("none"),
},
{
name: "policy-with-match-kinds-pod-only",
policy: []byte(`{
chore: move celexceptions to the new group (#12143) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-02-11 19:05:22 +02:00
"apiVersion": "policies.kyverno.io/v1alpha1",
feat: add autogen package for ValidatingPolicies (#11996) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-27 14:36:11 +02:00
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
},
"spec": {
"matchConstraints": {
"resourceRules": [
{
"apiGroups": [
""
],
"apiVersions": [
"v1"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"pods"
]
}
]
},
"variables": [
{
"name": "environment",
"expression": "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'"
}
],
"validations": [
{
"expression": "variables.environment == true",
"message": "Pod labels must be env=prod"
}
]
}
}`),
expectedControllers: podControllers,
},
}
for _, test := range testCases {
t.Run(test.name, func(t *testing.T) {
chore: move celexceptions to the new group (#12143) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-02-11 19:05:22 +02:00
var policy *policiesv1alpha1.ValidatingPolicy
feat: add autogen package for ValidatingPolicies (#11996) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-27 14:36:11 +02:00
err := json.Unmarshal(test.policy, &policy)
assert.NilError(t, err)
fix: update match conditions for autogen rules (#12146) * fix: update match conditions for autogen rules Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: autogen match condition prefix Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: merge main Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com>
2025-02-12 16:34:19 +08:00
applyAutoGen, controllers := CanAutoGen(&policy.Spec)
feat: add autogen package for ValidatingPolicies (#11996) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-27 14:36:11 +02:00
if !applyAutoGen {
controllers = sets.New("none")
}
equalityTest := test.expectedControllers.Equal(controllers)
assert.Assert(t, equalityTest, fmt.Sprintf("expected: %v, got: %v", test.expectedControllers, controllers))
})
}
}
Copy permalink