mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 07:57:07 +00:00
Code Activity
kyverno/pkg/policy/validate_test.go

2060 lines
48 KiB
Go
Raw Normal View History

manage policy validation inside engine pkg
2019-10-18 17:45:24 -07:00
package policy
add unit tests
2019-10-01 11:50:10 -07:00
import (
"encoding/json"
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
"errors"
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) * Fix Dev setup * Mutate policy defaults (1799) * fix look for exclude ResourceDescription * fix condition * reuse code Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 22:21:23 +05:30
"fmt"
add unit tests
2019-10-01 11:50:10 -07:00
"testing"
Restructure project to follow standards (#2632) Signed-off-by: Jose Armesto <github@armesto.net>
2021-10-29 18:13:20 +02:00
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
add package logger in files (#4766) * add package logger in files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add package logger to initContainer and other files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * helm default values Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-10-02 20:45:03 +01:00
"github.com/kyverno/kyverno/pkg/logging"
fix unit test Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-22 17:22:34 -08:00
"github.com/kyverno/kyverno/pkg/openapi"
add unit tests
2019-10-01 11:50:10 -07:00
"gotest.tools/assert"
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
"k8s.io/apimachinery/pkg/util/validation/field"
add unit tests
2019-10-01 11:50:10 -07:00
)
func Test_Validate_ResourceDescription_Empty(t *testing.T) {
policy validation: refactoring
2019-10-21 14:22:31 -07:00
var err error
add unit tests
2019-10-01 11:50:10 -07:00
rawResourcedescirption := []byte(`{}`)
manage policy validation inside engine pkg
2019-10-18 17:45:24 -07:00
var rd kyverno.ResourceDescription
policy validation: refactoring
2019-10-21 14:22:31 -07:00
err = json.Unmarshal(rawResourcedescirption, &rd)
add unit tests
2019-10-01 11:50:10 -07:00
assert.NilError(t, err)
policy validation: refactoring
2019-10-21 14:22:31 -07:00
_, err = validateMatchedResourceDescription(rd)
assert.Assert(t, err != nil)
add unit tests
2019-10-01 11:50:10 -07:00
}
policy validation: refactoring
2019-10-21 14:22:31 -07:00
func Test_Validate_ResourceDescription_MatchedValid(t *testing.T) {
rawResourcedescirption := []byte(`
add unit tests
2019-10-01 11:50:10 -07:00
{
policy validation: refactoring
2019-10-21 14:22:31 -07:00
"kinds": [
"Deployment"
],
add unit tests
2019-10-01 11:50:10 -07:00
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}`)
manage policy validation inside engine pkg
2019-10-18 17:45:24 -07:00
var rd kyverno.ResourceDescription
policy validation: refactoring
2019-10-21 14:22:31 -07:00
err := json.Unmarshal(rawResourcedescirption, &rd)
add unit tests
2019-10-01 11:50:10 -07:00
assert.NilError(t, err)
policy validation: refactoring
2019-10-21 14:22:31 -07:00
_, err = validateMatchedResourceDescription(rd)
assert.NilError(t, err)
add unit tests
2019-10-01 11:50:10 -07:00
}
ignore kinds check on exclude resource description
2019-10-01 15:01:24 -07:00
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
func Test_Validate_DenyConditions_KeyRequestOperation_Empty(t *testing.T) {
denyConditions := []byte(`[]`)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
var dcs apiextensions.JSON
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
err := json.Unmarshal(denyConditions, &dcs)
assert.NilError(t, err)
_, err = validateConditions(dcs, "conditions")
assert.NilError(t, err)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
_, err = validateConditions(dcs, "conditions")
assert.NilError(t, err)
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
}
func Test_Validate_Preconditions_KeyRequestOperation_Empty(t *testing.T) {
preConditions := []byte(`[]`)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
var pcs apiextensions.JSON
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
err := json.Unmarshal(preConditions, &pcs)
assert.NilError(t, err)
_, err = validateConditions(pcs, "preconditions")
assert.NilError(t, err)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
_, err = validateConditions(pcs, "preconditions")
assert.NilError(t, err)
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
}
func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_ExpectedValue(t *testing.T) {
denyConditions := []byte(`
[
{
"key":"{{request.operation}}",
"operator":"Equals",
"value":"DELETE"
},
{
"key":"{{request.operation}}",
"operator":"NotEquals",
"value":"CREATE"
},
{
"key":"{{request.operation}}",
"operator":"NotEquals",
"value":"CONNECT"
},
{
"key":"{{ request.operation }}",
"operator":"NotEquals",
"value":"UPDATE"
},
{
"key":"{{lbServiceCount}}",
"operator":"Equals",
"value":"2"
}
]
`)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
var dcs apiextensions.JSON
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
err := json.Unmarshal(denyConditions, &dcs)
assert.NilError(t, err)
_, err = validateConditions(dcs, "conditions")
assert.NilError(t, err)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
_, err = validateConditions(dcs, "conditions")
assert.NilError(t, err)
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
}
fix: allowed templatised values to be exempted from validation checks (#1599) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-17 02:36:07 +05:30
func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_RightfullyTemplatizedValue(t *testing.T) {
denyConditions := []byte(`
[
{
"key":"{{request.operation}}",
"operator":"Equals",
"value":"{{ \"ops-cm\".data.\"deny-ops\"}}"
},
{
"key":"{{ request.operation }}",
"operator":"NotEquals",
"value":"UPDATE"
}
]
`)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
var dcs apiextensions.JSON
fix: allowed templatised values to be exempted from validation checks (#1599) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-17 02:36:07 +05:30
err := json.Unmarshal(denyConditions, &dcs)
assert.NilError(t, err)
_, err = validateConditions(dcs, "conditions")
assert.NilError(t, err)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
_, err = validateConditions(dcs, "conditions")
assert.NilError(t, err)
fix: allowed templatised values to be exempted from validation checks (#1599) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-17 02:36:07 +05:30
}
func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_WrongfullyTemplatizedValue(t *testing.T) {
denyConditions := []byte(`
[
{
"key":"{{request.operation}}",
"operator":"Equals",
"value":"{{ \"ops-cm\".data.\"deny-ops\" }"
},
{
"key":"{{ request.operation }}",
"operator":"NotEquals",
"value":"UPDATE"
}
]
`)
var dcs []kyverno.Condition
err := json.Unmarshal(denyConditions, &dcs)
assert.NilError(t, err)
_, err = validateConditions(dcs, "conditions")
assert.Assert(t, err != nil)
}
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
func Test_Validate_PreconditionsValuesString_KeyRequestOperation_UnknownValue(t *testing.T) {
preConditions := []byte(`
[
{
"key":"{{request.operation}}",
"operator":"Equals",
"value":"foobar"
},
{
"key": "{{request.operation}}",
"operator": "NotEquals",
"value": "CREATE"
}
]
`)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
var pcs apiextensions.JSON
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
err := json.Unmarshal(preConditions, &pcs)
assert.NilError(t, err)
_, err = validateConditions(pcs, "preconditions")
assert.Assert(t, err != nil)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
_, err = validateConditions(pcs, "preconditions")
assert.Assert(t, err != nil)
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
}
func Test_Validate_DenyConditionsValuesList_KeyRequestOperation_ExpectedItem(t *testing.T) {
denyConditions := []byte(`
[
{
"key":"{{request.operation}}",
"operator":"Equals",
"value": [
"CREATE",
"DELETE",
"CONNECT"
]
},
{
"key":"{{request.operation}}",
"operator":"NotEquals",
"value": [
"UPDATE"
]
},
{
"key": "{{lbServiceCount}}",
"operator": "Equals",
"value": "2"
}
]
`)
var dcs []kyverno.Condition
err := json.Unmarshal(denyConditions, &dcs)
assert.NilError(t, err)
_, err = validateConditions(dcs, "conditions")
assert.NilError(t, err)
}
func Test_Validate_PreconditionsValuesList_KeyRequestOperation_UnknownItem(t *testing.T) {
preConditions := []byte(`
[
{
"key":"{{request.operation}}",
"operator":"Equals",
"value": [
"foobar",
"CREATE"
]
},
{
"key":"{{request.operation}}",
"operator":"NotEquals",
"value": [
"foobar"
]
}
]
`)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
var pcs apiextensions.JSON
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
err := json.Unmarshal(preConditions, &pcs)
assert.NilError(t, err)
_, err = validateConditions(pcs, "preconditions")
assert.Assert(t, err != nil)
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-03-02 10:01:06 +05:30
_, err = validateConditions(pcs, "preconditions")
assert.Assert(t, err != nil)
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-02-02 02:57:16 +05:30
}
add unit tests
2019-10-01 11:50:10 -07:00
func Test_Validate_Policy(t *testing.T) {
rawPolicy := []byte(`
{
update api in tests
2019-11-13 13:56:07 -08:00
"apiVersion": "kyverno.io/v1",
add unit tests
2019-10-01 11:50:10 -07:00
"kind": "ClusterPolicy",
"metadata": {
"name": "container-security-context"
},
"spec": {
"rules": [
{
add validate checks for generate
2019-10-03 14:47:50 -07:00
"name": "validate-runAsNonRoot",
add unit tests
2019-10-01 11:50:10 -07:00
"match": {
"resources": {
"kinds": [
"Deployment"
],
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}
},
"validate": {
"message": "validate container security contexts",
"anyPattern": [
{
"spec": {
"template": {
"spec": {
"^(containers)": [
{
"securityContext": {
add validate checks for generate
2019-10-03 14:47:50 -07:00
"runAsNonRoot": "true"
add unit tests
2019-10-01 11:50:10 -07:00
}
}
]
}
}
}
}
]
}
add validate checks for generate
2019-10-03 14:47:50 -07:00
},
{
"name": "validate-allowPrivilegeEscalation",
"match": {
"resources": {
"kinds": [
"Deployment"
],
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}
},
"validate": {
"message": "validate container security contexts",
"pattern": {
"spec": {
"template": {
"spec": {
"^(containers)": [
{
"securityContext": {
"allowPrivilegeEscalation": "false"
}
}
]
}
}
}
}
}
add unit tests
2019-10-01 11:50:10 -07:00
}
]
}
}`)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
Improve / clean up code (#1444) * Remove lock embedded in CRD controller, use concurrent map to store shcemas * delete rcr info from data store * skip policy validation on status update * - remove status check in policy mutation; - fix test * Remove fqdncn flag * add flag profiling port * skip policy mutation & validation on status update * sync policy status every minute * update log messages
2021-01-06 16:32:02 -08:00
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
validate anchor in mutate and validate rule
2019-10-03 12:52:58 -07:00
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
_, err = Validate(policy, nil, true, openApiManager)
validate anchor in mutate and validate rule
2019-10-03 12:52:58 -07:00
assert.NilError(t, err)
Provide more details to policy validation errors
2019-10-03 16:49:41 -07:00
}
func Test_Validate_ErrorFormat(t *testing.T) {
rawPolicy := []byte(`
{
update api in tests
2019-11-13 13:56:07 -08:00
"apiVersion": "kyverno.io/v1",
Provide more details to policy validation errors
2019-10-03 16:49:41 -07:00
"kind": "ClusterPolicy",
"metadata": {
"name": "test-error-format"
},
"spec": {
"rules": [
{
"name": "image-pull-policy",
"match": {
"resources": {
"kinds": [
"Deployment"
],
"selector": {
"matchLabels": {
"app": "nginxlatest"
}
}
}
},
"exclude": {
"resources": {
"selector": {
"app": "nginxlatest"
}
}
},
"mutate": {
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
"patchStrategicMerge": {
Provide more details to policy validation errors
2019-10-03 16:49:41 -07:00
"spec": {
"template": {
"spec": {
"containers": [
{
"=(image)": "*latest",
"imagePullPolicy": "IfNotPresent"
}
]
}
}
}
}
}
},
{
"name": "validate-user-privilege",
"match": {
"resources": {
"kinds": [],
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}
},
"validate": {
"message": "validate container security contexts",
"anyPattern": [
{
"spec": {
"template": {
"spec": {
"^(containers)": [
{
"securityContext": {
"runAsNonRoot": "true"
}
}
]
}
}
}
}
]
}
},
{
"name": "validate-user-privilege",
"match": {
"resources": {
"kinds": [
"Deployment"
],
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}
},
"validate": {
"message": "validate container security contexts",
"pattern": {
"spec": {
"template": {
"spec": {
"containers": [
{
"^(securityContext)": {
"allowPrivilegeEscalation": "false"
}
}
]
}
}
}
}
}
},
{
"name": "default-networkpolicy",
"match": {
"resources": {
"kinds": [
"Namespace"
],
"name": "devtest"
}
},
"generate": {
"kind": "ConfigMap",
"name": "copied-cm",
"clone": {
"^(namespace)": "default",
"name": "game-config"
}
}
}
]
}
}
`)
Improve / clean up code (#1444) * Remove lock embedded in CRD controller, use concurrent map to store shcemas * delete rcr info from data store * skip policy validation on status update * - remove status check in policy mutation; - fix test * Remove fqdncn flag * add flag profiling port * skip policy mutation & validation on status update * sync policy status every minute * update log messages
2021-01-06 16:32:02 -08:00
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
policy validation: refactoring
2019-10-21 14:22:31 -07:00
assert.Assert(t, err != nil)
add validate checks for generate
2019-10-03 14:47:50 -07:00
}
add unit test
2019-12-05 11:55:00 -08:00
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
func Test_BackGroundUserInfo_match_roles(t *testing.T) {
var err error
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-root-user"
},
"spec": {
"rules": [
{
"name": "match.roles",
"match": {
"roles": [
"a",
"b"
]
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
redo variable validation (#2647) * redo variable validation Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle quotes for JMESPath - escaping Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 11:16:55 -07:00
err = containsUserVariables(policy, nil)
744 fixing policy validation and removing allRequests field
2020-05-06 19:46:32 +05:30
assert.Equal(t, err.Error(), "invalid variable used at path: spec/rules[0]/match/roles")
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
}
func Test_BackGroundUserInfo_match_clusterRoles(t *testing.T) {
var err error
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-root-user"
},
"spec": {
"rules": [
{
"name": "match.clusterRoles",
"match": {
"clusterRoles": [
"a",
"b"
]
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
redo variable validation (#2647) * redo variable validation Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle quotes for JMESPath - escaping Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 11:16:55 -07:00
err = containsUserVariables(policy, nil)
744 fixing policy validation and removing allRequests field
2020-05-06 19:46:32 +05:30
assert.Equal(t, err.Error(), "invalid variable used at path: spec/rules[0]/match/clusterRoles")
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
}
func Test_BackGroundUserInfo_match_subjects(t *testing.T) {
var err error
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-root-user"
},
"spec": {
"rules": [
{
"name": "match.subjects",
"match": {
"subjects": [
{
"Name": "a"
},
{
"Name": "b"
}
]
}
}
]
}
} `)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
redo variable validation (#2647) * redo variable validation Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle quotes for JMESPath - escaping Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 11:16:55 -07:00
err = containsUserVariables(policy, nil)
744 fixing policy validation and removing allRequests field
2020-05-06 19:46:32 +05:30
assert.Equal(t, err.Error(), "invalid variable used at path: spec/rules[0]/match/subjects")
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
}
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
func Test_BackGroundUserInfo_mutate_patchStrategicMerge1(t *testing.T) {
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
var err error
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-root-user"
},
"spec": {
"rules": [
{
"name": "mutate.overlay1",
"mutate": {
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
"patchStrategicMerge": {
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
"var1": "{{request.userInfo}}"
}
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
redo variable validation (#2647) * redo variable validation Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle quotes for JMESPath - escaping Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 11:16:55 -07:00
err = ValidateVariables(policy, true)
fix unit test Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-22 17:22:34 -08:00
assert.Assert(t, err != nil)
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
}
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
func Test_BackGroundUserInfo_mutate_patchStrategicMerge2(t *testing.T) {
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
var err error
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-root-user"
},
"spec": {
"rules": [
{
"name": "mutate.overlay2",
"mutate": {
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
"patchStrategicMerge": {
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
"var1": "{{request.userInfo.userName}}"
}
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
redo variable validation (#2647) * redo variable validation Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle quotes for JMESPath - escaping Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 11:16:55 -07:00
err = ValidateVariables(policy, true)
fix unit test Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-22 17:22:34 -08:00
assert.Assert(t, err != nil)
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
}
func Test_BackGroundUserInfo_validate_pattern(t *testing.T) {
var err error
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-root-user"
},
"spec": {
"rules": [
{
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
"name": "validate-patch-strategic-merge",
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
"validate": {
"pattern": {
"var1": "{{request.userInfo}}"
}
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
redo variable validation (#2647) * redo variable validation Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle quotes for JMESPath - escaping Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 11:16:55 -07:00
err = ValidateVariables(policy, true)
Bug fixes - policy validation, auto-generated rules, apiCall support in mutate and generate (#1629) * Fix invalid policy reports generated for blocked resource Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix 1464 - copy context and preconditions to auto-gen rules Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix 1628 - add policy validations Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix 1593 - support apiCall in mutate and generate Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix test Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-22 12:08:26 -08:00
assert.Assert(t, err != nil, err)
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
}
func Test_BackGroundUserInfo_validate_anyPattern(t *testing.T) {
var err error
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-root-user"
},
"spec": {
"rules": [
{
"name": "validate.anyPattern",
"validate": {
"anyPattern": [
{
"var1": "temp"
},
{
"var1": "{{request.userInfo}}"
}
]
}
}
]
}
} `)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
redo variable validation (#2647) * redo variable validation Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle quotes for JMESPath - escaping Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 11:16:55 -07:00
err = ValidateVariables(policy, true)
fix unit test Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-22 17:22:34 -08:00
assert.Assert(t, err != nil)
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
2019-12-30 17:08:50 -08:00
}
check for multiple variables in a expression & serviceAccount variables (#610) * check for multiple variables in a expression & serviceAccount variables * update the regex matcher
2020-01-13 18:56:11 -08:00
func Test_BackGroundUserInfo_validate_anyPattern_multiple_var(t *testing.T) {
var err error
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-root-user"
},
"spec": {
"rules": [
{
"name": "validate.anyPattern",
"validate": {
"anyPattern": [
{
"var1": "temp"
},
{
"var1": "{{request.userInfo}}-{{temp}}"
}
]
}
}
]
}
} `)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
redo variable validation (#2647) * redo variable validation Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle quotes for JMESPath - escaping Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 11:16:55 -07:00
err = ValidateVariables(policy, true)
fix unit test Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-22 17:22:34 -08:00
assert.Assert(t, err != nil)
check for multiple variables in a expression & serviceAccount variables (#610) * check for multiple variables in a expression & serviceAccount variables * update the regex matcher
2020-01-13 18:56:11 -08:00
}
func Test_BackGroundUserInfo_validate_anyPattern_serviceAccount(t *testing.T) {
var err error
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-root-user"
},
"spec": {
"rules": [
{
"name": "validate.anyPattern",
"validate": {
"anyPattern": [
{
"var1": "temp"
},
{
"var1": "{{serviceAccountName}}"
}
]
}
}
]
}
} `)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
redo variable validation (#2647) * redo variable validation Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle quotes for JMESPath - escaping Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 11:16:55 -07:00
err = ValidateVariables(policy, true)
fix unit test Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-22 17:22:34 -08:00
assert.Assert(t, err != nil)
check for multiple variables in a expression & serviceAccount variables (#610) * check for multiple variables in a expression & serviceAccount variables * update the regex matcher
2020-01-13 18:56:11 -08:00
}
658 prototype with testcases
2020-02-26 16:08:56 +05:30
func Test_ruleOnlyDealsWithResourceMetaData(t *testing.T) {
testcases := []struct {
description string
rule []byte
expectedOutput bool
}{
{
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
description: "Test mutate patchStrategicMerge - pass",
rule: []byte(`{"name":"testPatches1","mutate":{"patchStrategicMerge":{"metadata":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}`),
658 prototype with testcases
2020-02-26 16:08:56 +05:30
expectedOutput: true,
},
{
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
description: "Test mutate patchStrategicMerge - fail",
rule: []byte(`{"name":"testPatches2","mutate":{"patchStrategicMerge":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}`),
658 prototype with testcases
2020-02-26 16:08:56 +05:30
expectedOutput: false,
},
{
description: "Test mutate patch - pass",
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
rule: []byte(`{"name":"testPatches3","mutate":{"patchesJson6902": "[{\"path\":\"/metadata/labels/isMutated\",\"op\":\"add\",\"value\":\"true\"},{\"path\":\"/metadata/labels/app\",\"op\":\"replace\",\"value\":\"nginx_is_mutated\"}]"}}`),
658 prototype with testcases
2020-02-26 16:08:56 +05:30
expectedOutput: true,
},
{
description: "Test mutate patch - fail",
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
rule: []byte(`{"name":"testPatches4","mutate":{"patchesJson6902": "[{\"path\":\"/spec/labels/isMutated\",\"op\":\"add\",\"value\":\"true\"},{\"path\":\"/metadata/labels/app\",\"op\":\"replace\",\"value\":\"nginx_is_mutated\"}]" }}`),
658 prototype with testcases
2020-02-26 16:08:56 +05:30
expectedOutput: false,
},
{
description: "Test validate - pass",
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
rule: []byte(`{"name":"testValidate1","validate":{"message":"CPU and memory resource requests and limits are required","pattern":{"metadata":{"containers":[{"(name)":"*","ports":[{"containerPort":80}]}]}}}}`),
658 prototype with testcases
2020-02-26 16:08:56 +05:30
expectedOutput: true,
},
{
description: "Test validate - fail",
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
rule: []byte(`{"name":"testValidate2","validate":{"message":"CPU and memory resource requests and limits are required","pattern":{"spec":{"containers":[{"(name)":"*","ports":[{"containerPort":80}]}]}}}}`),
658 prototype with testcases
2020-02-26 16:08:56 +05:30
expectedOutput: false,
},
{
description: "Test validate any pattern - pass",
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
rule: []byte(`{"name":"testValidateAnyPattern1","validate":{"message":"Volumes white list","anyPattern":[{"metadata":{"volumes":[{"hostPath":"*"}]}},{"metadata":{"volumes":[{"emptyDir":"*"}]}},{"metadata":{"volumes":[{"configMap":"*"}]}}]}}`),
658 prototype with testcases
2020-02-26 16:08:56 +05:30
expectedOutput: true,
},
{
description: "Test validate any pattern - fail",
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
rule: []byte(`{"name":"testValidateAnyPattern2","validate":{"message":"Volumes white list","anyPattern":[{"spec":{"volumes":[{"hostPath":"*"}]}},{"metadata":{"volumes":[{"emptyDir":"*"}]}},{"metadata":{"volumes":[{"configMap":"*"}]}}]}}`),
658 prototype with testcases
2020-02-26 16:08:56 +05:30
expectedOutput: false,
},
}
for i, testcase := range testcases {
var rule kyverno.Rule
_ = json.Unmarshal(testcase.rule, &rule)
output := ruleOnlyDealsWithResourceMetaData(rule)
if output != testcase.expectedOutput {
updates for foreach and mutate (#2891) * updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-04 17:36:33 -08:00
t.Errorf("Testcase [%d] (%s) failed", i+1, testcase.description)
658 prototype with testcases
2020-02-26 16:08:56 +05:30
}
}
753 prototype changes
2020-03-20 20:23:34 +05:30
}
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) * Fix Dev setup * Mutate policy defaults (1799) * fix look for exclude ResourceDescription * fix condition * reuse code Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 22:21:23 +05:30
Bugfix : Make match.resources.kinds required (#1852) * Fix Dev setup * Bugfix : Make match.resources.kinds required Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 23:44:55 +05:30
func Test_Validate_Kind(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "policy-to-monitor-root-user-access"
},
"spec": {
"validationFailureAction": "audit",
"rules": [
{
"name": "monitor-annotation-for-root-user-access",
"match": {
"resources": {
"selector": {
"matchLabels": {
"AllowRootUserAccess": "true"
}
}
}
},
"validate": {
"message": "Label provisioner.wg.net/cloudprovider is required",
"pattern": {
"metadata": {
"labels": {
"provisioner.wg.net/cloudprovider": "*"
}
}
}
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
Bugfix : Make match.resources.kinds required (#1852) * Fix Dev setup * Bugfix : Make match.resources.kinds required Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 23:44:55 +05:30
assert.Assert(t, err != nil)
}
Add function label_match, to use matchLabel in JMESPath, usage: label_match(labels_from_network_policy, labels_from pod) bool, Remove validation for JMESPath (#1862) Signed-off-by: Thomas Rosenstein <thomas@thoro.at>
2021-05-04 18:28:30 +02:00
adding any/all under match and exclude blocks (#2130) * intial commit Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * update types Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * updated all type Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * extract to single struct Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * updated match resource description function Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * minor test working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * match resources test is working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * exclude resources test is working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * changed double negetive in logic Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * yamls updated and added validation and cache loops Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * match exclude working but need to fix matchExcludeConflict function Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * restored doMatchAndExcludeConflict function Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * rewrote the matchExcludeConflictFunction Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * finalizing completed till utils_test.go Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * ready for review complete Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * update yamls Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * one more merge conflict solved Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * regenerates YAMLs Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * possible fix for failing tests Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed duplicate any/all logic and added a test, (rest refacotring is in progress) Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * cache test is working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * improved cache test and it is working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * added check for mutate and generate policies too Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * cleaned doesResourceMatchConditionBlock logic but validation still has code from attempt to combine the all block Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * reverted validate.go to older logic Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed commented code Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed extra comments Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>
2021-07-29 01:29:53 +05:30
func Test_Validate_Any_Kind(t *testing.T) {
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "policy-to-monitor-root-user-access"
},
"spec": {
"validationFailureAction": "audit",
"rules": [
{
"name": "monitor-annotation-for-root-user-access",
"match": {
"any": [
{
"resources": {
"selector": {
"matchLabels": {
"AllowRootUserAccess": "true"
}
}
}
}
]
},
"validate": {
"message": "Label provisioner.wg.net/cloudprovider is required",
"pattern": {
"metadata": {
"labels": {
"provisioner.wg.net/cloudprovider": "*"
}
}
}
}
}
]
}
}`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
adding any/all under match and exclude blocks (#2130) * intial commit Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * update types Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * updated all type Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * extract to single struct Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * updated match resource description function Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * minor test working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * match resources test is working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * exclude resources test is working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * changed double negetive in logic Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * yamls updated and added validation and cache loops Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * match exclude working but need to fix matchExcludeConflict function Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * restored doMatchAndExcludeConflict function Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * rewrote the matchExcludeConflictFunction Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * finalizing completed till utils_test.go Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * ready for review complete Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * update yamls Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * one more merge conflict solved Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * regenerates YAMLs Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * possible fix for failing tests Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed duplicate any/all logic and added a test, (rest refacotring is in progress) Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * cache test is working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * improved cache test and it is working Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * added check for mutate and generate policies too Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * cleaned doesResourceMatchConditionBlock logic but validation still has code from attempt to combine the all block Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * reverted validate.go to older logic Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed commented code Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed extra comments Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>
2021-07-29 01:29:53 +05:30
assert.Assert(t, err != nil)
}
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) * Fix Dev setup * Mutate policy defaults (1799) * fix look for exclude ResourceDescription * fix condition * reuse code Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 22:21:23 +05:30
func Test_checkAutoGenRules(t *testing.T) {
testCases := []struct {
name string
policy []byte
expectedResult bool
}{
{
Disable auto-gen when a rule has mixed of kinds: pod & pod controllers (#1847) * disable auto-gen when a rule has mixed of kinds: pod & pod controllers Signed-off-by: Shuting Zhao <shutting06@gmail.com> * Bugfix : Make match.resources.kinds required (#1843) * Fix Dev setup * make kind required in MatchResources * add test cases Co-authored-by: vyankatesh <vyankatesh@neualto.com> * address PR comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update background canAutoGen unit tests Signed-off-by: Shuting Zhao <shutting06@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 14:59:37 -07:00
name: "rule-missing-autogen-cronjob",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test","annotations":{"pod-policies.kyverno.io/autogen-controllers":"Deployment,CronJob"}},"spec":{"rules":[{"match":{"resources":{"kinds":["Pod"]}},"name":"block-old-flux","validate":{"message":"CannotuseoldFluxv1annotation.","pattern":{"metadata":{"=(annotations)":{"X(fluxcd.io/*)":"*?"}}}}},{"match":{"resources":{"kinds":["Deployment"]}},"name":"autogen-block-old-flux","validate":{"message":"CannotuseoldFluxv1annotation.","pattern":{"spec":{"template":{"metadata":{"=(annotations)":{"X(fluxcd.io/*)":"*?"}}}}}}}]}}`),
expectedResult: true,
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) * Fix Dev setup * Mutate policy defaults (1799) * fix look for exclude ResourceDescription * fix condition * reuse code Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 22:21:23 +05:30
},
{
Disable auto-gen when a rule has mixed of kinds: pod & pod controllers (#1847) * disable auto-gen when a rule has mixed of kinds: pod & pod controllers Signed-off-by: Shuting Zhao <shutting06@gmail.com> * Bugfix : Make match.resources.kinds required (#1843) * Fix Dev setup * make kind required in MatchResources * add test cases Co-authored-by: vyankatesh <vyankatesh@neualto.com> * address PR comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update background canAutoGen unit tests Signed-off-by: Shuting Zhao <shutting06@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 14:59:37 -07:00
name: "rule-missing-autogen-deployment",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test","annotations":{"pod-policies.kyverno.io/autogen-controllers":"Deployment,CronJob"}},"spec":{"rules":[{"match":{"resources":{"kinds":["Pod"]}},"name":"block-old-flux","validate":{"message":"CannotuseoldFluxv1annotation.","pattern":{"metadata":{"=(annotations)":{"X(fluxcd.io/*)":"*?"}}}}},{"match":{"resources":{"kinds":["CronJob"]}},"name":"autogen-cronjob-block-old-flux","validate":{"message":"CannotuseoldFluxv1annotation.","pattern":{"spec":{"jobTemplate":{"spec":{"template":{"metadata":{"=(annotations)":{"X(fluxcd.io/*)":"*?"}}}}}}}}}]}}`),
expectedResult: true,
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) * Fix Dev setup * Mutate policy defaults (1799) * fix look for exclude ResourceDescription * fix condition * reuse code Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 22:21:23 +05:30
},
{
Disable auto-gen when a rule has mixed of kinds: pod & pod controllers (#1847) * disable auto-gen when a rule has mixed of kinds: pod & pod controllers Signed-off-by: Shuting Zhao <shutting06@gmail.com> * Bugfix : Make match.resources.kinds required (#1843) * Fix Dev setup * make kind required in MatchResources * add test cases Co-authored-by: vyankatesh <vyankatesh@neualto.com> * address PR comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update background canAutoGen unit tests Signed-off-by: Shuting Zhao <shutting06@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 14:59:37 -07:00
name: "rule-missing-autogen-all",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test","annotations":{"pod-policies.kyverno.io/autogen-controllers":"Deployment,CronJob,StatefulSet,Job,DaemonSet"}},"spec":{"rules":[{"match":{"resources":{"kinds":["Pod"]}},"name":"block-old-flux","validate":{"message":"CannotuseoldFluxv1annotation.","pattern":{"metadata":{"=(annotations)":{"X(fluxcd.io/*)":"*?"}}}}}]}}`),
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) * Fix Dev setup * Mutate policy defaults (1799) * fix look for exclude ResourceDescription * fix condition * reuse code Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 22:21:23 +05:30
expectedResult: true,
},
{
Disable auto-gen when a rule has mixed of kinds: pod & pod controllers (#1847) * disable auto-gen when a rule has mixed of kinds: pod & pod controllers Signed-off-by: Shuting Zhao <shutting06@gmail.com> * Bugfix : Make match.resources.kinds required (#1843) * Fix Dev setup * make kind required in MatchResources * add test cases Co-authored-by: vyankatesh <vyankatesh@neualto.com> * address PR comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update background canAutoGen unit tests Signed-off-by: Shuting Zhao <shutting06@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 14:59:37 -07:00
name: "rule-with-autogen-disabled",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test","annotations":{"pod-policies.kyverno.io/autogen-controllers":"none"}},"spec":{"rules":[{"match":{"resources":{"kinds":["Pod"]}},"name":"block-old-flux","validate":{"message":"CannotuseoldFluxv1annotation.","pattern":{"metadata":{"=(annotations)":{"X(fluxcd.io/*)":"*?"}}}}}]}}`),
expectedResult: false,
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) * Fix Dev setup * Mutate policy defaults (1799) * fix look for exclude ResourceDescription * fix condition * reuse code Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 22:21:23 +05:30
},
}
for _, test := range testCases {
var policy kyverno.ClusterPolicy
err := json.Unmarshal(test.policy, &policy)
assert.NilError(t, err)
add package logger in files (#4766) * add package logger in files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add package logger to initContainer and other files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * helm default values Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-10-02 20:45:03 +01:00
res := missingAutoGenRules(&policy, logging.GlobalLogger())
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) * Fix Dev setup * Mutate policy defaults (1799) * fix look for exclude ResourceDescription * fix condition * reuse code Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2021-04-29 22:21:23 +05:30
assert.Equal(t, test.expectedResult, res, fmt.Sprintf("test %s failed", test.name))
}
}
Add function label_match, to use matchLabel in JMESPath, usage: label_match(labels_from_network_policy, labels_from pod) bool, Remove validation for JMESPath (#1862) Signed-off-by: Thomas Rosenstein <thomas@thoro.at>
2021-05-04 18:28:30 +02:00
func Test_Validate_ApiCall(t *testing.T) {
testCases := []struct {
resource kyverno.ContextEntry
expectedResult interface{}
}{
{
resource: kyverno.ContextEntry{
APICall: &kyverno.APICall{
URLPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies",
JMESPath: "",
},
},
expectedResult: nil,
},
{
resource: kyverno.ContextEntry{
APICall: &kyverno.APICall{
URLPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies",
JMESPath: "items[",
},
},
expectedResult: "failed to parse JMESPath items[: SyntaxError: Expected tStar, received: tEOF",
},
{
resource: kyverno.ContextEntry{
APICall: &kyverno.APICall{
URLPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies",
JMESPath: "items[{{request.namespace}}",
},
},
expectedResult: nil,
},
}
for _, testCase := range testCases {
err := validateAPICall(testCase.resource)
if err == nil {
assert.Equal(t, err, testCase.expectedResult)
} else {
assert.Equal(t, err.Error(), testCase.expectedResult)
}
}
}
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Fix wildcards issue for match/exclude kind block (#2137) * Fix wildcards issue for match/exclude kind block * fix typo
2021-07-14 23:49:15 +05:30
func Test_Wildcards_Kind(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "require-labels"
},
"spec": {
"validationFailureAction": "enforce",
"rules": [
{
"name": "check-for-labels",
"match": {
"resources": {
"kinds": [
"*"
]
}
},
"validate": {
"message": "label 'app.kubernetes.io/name' is required",
"pattern": {
"metadata": {
"labels": {
"app.kubernetes.io/name": "?*"
}
}
}
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
Fix wildcards issue for match/exclude kind block (#2137) * Fix wildcards issue for match/exclude kind block * fix typo
2021-07-14 23:49:15 +05:30
assert.Assert(t, err != nil)
}
Fix for - Kyverno CLI permitting namespaces field in a Policy resource (#2199) * bug fixed Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * added test case Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * updated error message Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * removed comments Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * added check for any/all tags Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * corrected exclude logic Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-10-22 01:48:22 +05:30
func Test_Namespced_Policy(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "Policy",
"metadata": {
"name": "evil-policy-match-foreign-pods",
"namespace": "customer-foo"
},
"spec": {
"validationFailureAction": "enforce",
"background": false,
"rules": [
{
"name": "evil-validation",
"match": {
"resources": {
"kinds": [
"Pod"
],
"namespaces": [
"customer-bar"
]
}
},
"validate": {
"message": "Mua ah ah ... you've been pwned by customer-foo",
"pattern": {
"metadata": {
"annotations": {
"pwned-by-customer-foo": "true"
}
}
}
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
Fix for - Kyverno CLI permitting namespaces field in a Policy resource (#2199) * bug fixed Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * added test case Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * updated error message Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * removed comments Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * added check for any/all tags Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * corrected exclude logic Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-10-22 01:48:22 +05:30
assert.Assert(t, err != nil)
}
Only report on intended errors when checking JSONPatch path for variables (#2710) * Only report on intended errors Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Change error text to be more fitting Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Replace vars for checks Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Remove more checks for testing Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Disable schema validation Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Remove unneeded fmt prints Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
2021-11-30 18:14:58 +01:00
func Test_patchesJson6902_Policy(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "set-max-surge-yaml-to-json"
},
"spec": {
"background": false,
"schemaValidation": false,
"rules": [
{
"name": "set-max-surge",
"context": [
{
"name": "source",
"configMap": {
"name": "source-yaml-to-json",
"namespace": "default"
}
}
],
"match": {
"resources": {
"kinds": [
"Deployment"
]
}
},
"mutate": {
"patchesJson6902": "- op: replace\n path: /spec/strategy\n value: {{ source.data.strategy }}"
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
Only report on intended errors when checking JSONPatch path for variables (#2710) * Only report on intended errors Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Change error text to be more fitting Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Replace vars for checks Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Remove more checks for testing Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Disable schema validation Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Remove unneeded fmt prints Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
2021-11-30 18:14:58 +01:00
assert.NilError(t, err)
}
fix PodExecOptions issue (#3373) * fix PodExecOptions issue * add note * update comment
2022-03-11 15:09:32 +05:30
func Test_deny_exec(t *testing.T) {
var err error
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "deny-exec-to-pod"
},
"spec": {
"validationFailureAction": "enforce",
"background": false,
"schemaValidation": false,
"rules": [
{
"name": "deny-pod-exec",
"match": {
"resources": {
"kinds": [
"PodExecOptions"
]
}
},
"preconditions": {
"all": [
{
"key": "{{ request.operation }}",
"operator": "Equals",
"value": "CONNECT"
}
]
},
"validate": {
"message": "Containers can't be exec'd into in production.",
"deny": {}
}
}
]
}
}`)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
fix PodExecOptions issue (#3373) * fix PodExecOptions issue * add note * update comment
2022-03-11 15:09:32 +05:30
assert.NilError(t, err)
}
fix for gvk not working for existing resources policy (#3384)
2022-03-14 16:03:13 +05:30
Added support to specify key signature algorithm in verifyImages (#4855) Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io>
2022-10-14 11:09:57 +05:30
func Test_SignatureAlgorithm(t *testing.T) {
testcases := []struct {
description string
policy []byte
expectedOutput bool
}{
{
description: "Test empty signature algorithm - pass",
policy: []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "check-empty-signature-algorithm"
},
"spec": {
"rules": [
{
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"verifyImages": [
{
"imageReferences": [
"ghcr.io/kyverno/test-verify-image:*"
],
"attestors": [
{
"count": 1,
"entries": [
{
"keys": {
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----"
}
}
]
}
]
}
]
}
]
}
}`),
expectedOutput: true,
},
{
description: "Test invalid signature algorithm - fail",
policy: []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "check-invalid-signature-algorithm"
},
"spec": {
"rules": [
{
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"verifyImages": [
{
"imageReferences": [
"ghcr.io/kyverno/test-verify-image:*"
],
"attestors": [
{
"count": 1,
"entries": [
{
"keys": {
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----",
"signatureAlgorithm": "sha123"
}
}
]
}
]
}
]
}
]
}
}`),
expectedOutput: false,
},
{
description: "Test invalid signature algorithm - fail",
policy: []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "check-valid-signature-algorithm"
},
"spec": {
"rules": [
{
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"verifyImages": [
{
"imageReferences": [
"ghcr.io/kyverno/test-verify-image:*"
],
"attestors": [
{
"count": 1,
"entries": [
{
"keys": {
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----",
"signatureAlgorithm": "sha256"
}
}
]
}
]
}
]
}
]
}
}`),
expectedOutput: true,
},
}
for _, testcase := range testcases {
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(testcase.policy, &policy)
assert.NilError(t, err)
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
if testcase.expectedOutput {
assert.NilError(t, err)
} else {
assert.ErrorContains(t, err, "Invalid signature algorithm provided")
}
}
}
fix for gvk not working for existing resources policy (#3384)
2022-03-14 16:03:13 +05:30
func Test_existing_resource_policy(t *testing.T) {
var err error
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "np-test-1"
},
"spec": {
"validationFailureAction": "audit",
"rules": [
{
"name": "no-LoadBalancer",
"match": {
"any": [
{
"resources": {
"kinds": [
"networking.k8s.io/v1/NetworkPolicy"
]
}
}
]
},
"validate": {
"message": "np-test",
"pattern": {
"metadata": {
"name": "?*"
}
}
}
}
]
}
}`)
var policy *kyverno.ClusterPolicy
err = json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
Return warning on admission response when mutating pods (#3272) - Return the warning as part of the validate response - Warn when autogen annotation is being used to exclude pod controllers - Reutrn admission response based on the autogen annotation value - Update the existing log message to align with admission response warning Co-authored-by: abhinav454 <43758739+abhinav454@users.noreply.github.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
2022-03-16 00:50:33 -04:00
assert.NilError(t, err)
}
func Test_PodControllerAutoGenExclusion_All_Controllers_Policy(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "add-all-pod-controller-annotations",
"annotations": {
"pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Job,CronJob,Deployment,StatefulSet"
}
},
"spec": {
"validationFailureAction": "enforce",
"background": false,
"rules": [
{
"name": "validate-livenessProbe-readinessProbe",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "Liveness and readiness probes are required.",
"pattern": {
"spec": {
"containers": [
{
"livenessProbe": {
"periodSeconds": ">0"
},
"readinessProbe": {
"periodSeconds": ">0"
}
}
]
}
}
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
res, err := Validate(policy, nil, true, openApiManager)
Return warning on admission response when mutating pods (#3272) - Return the warning as part of the validate response - Warn when autogen annotation is being used to exclude pod controllers - Reutrn admission response based on the autogen annotation value - Update the existing log message to align with admission response warning Co-authored-by: abhinav454 <43758739+abhinav454@users.noreply.github.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
2022-03-16 00:50:33 -04:00
assert.NilError(t, err)
assert.Assert(t, res == nil)
}
func Test_PodControllerAutoGenExclusion_Not_All_Controllers_Policy(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "add-not-all-pod-controller-annotations",
"annotations": {
"pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Job,CronJob,Deployment"
}
},
"spec": {
"validationFailureAction": "enforce",
"background": false,
"rules": [
{
"name": "validate-livenessProbe-readinessProbe",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "Liveness and readiness probes are required.",
"pattern": {
"spec": {
"containers": [
{
"livenessProbe": {
"periodSeconds": ">0"
},
"readinessProbe": {
"periodSeconds": ">0"
}
}
]
}
}
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
fix: early return in policy validation (#5200) * fix: early return in policy validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-11-03 09:05:23 +00:00
warnings, err := Validate(policy, nil, true, openApiManager)
assert.Assert(t, warnings != nil)
Return warning on admission response when mutating pods (#3272) - Return the warning as part of the validate response - Warn when autogen annotation is being used to exclude pod controllers - Reutrn admission response based on the autogen annotation value - Update the existing log message to align with admission response warning Co-authored-by: abhinav454 <43758739+abhinav454@users.noreply.github.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
2022-03-16 00:50:33 -04:00
assert.NilError(t, err)
}
func Test_PodControllerAutoGenExclusion_None_Policy(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "add-none-pod-controller-annotations",
"annotations": {
"pod-policies.kyverno.io/autogen-controllers": "none"
}
},
"spec": {
"validationFailureAction": "enforce",
"background": false,
"rules": [
{
"name": "validate-livenessProbe-readinessProbe",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "Liveness and readiness probes are required.",
"pattern": {
"spec": {
"containers": [
{
"livenessProbe": {
"periodSeconds": ">0"
},
"readinessProbe": {
"periodSeconds": ">0"
}
}
]
}
}
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
refactor: openapi controller part 2 (#4910) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 18:54:16 +02:00
openApiManager, _ := openapi.NewManager()
fix: early return in policy validation (#5200) * fix: early return in policy validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-11-03 09:05:23 +00:00
warnings, err := Validate(policy, nil, true, openApiManager)
assert.Assert(t, warnings == nil)
fix for gvk not working for existing resources policy (#3384)
2022-03-14 16:03:13 +05:30
assert.NilError(t, err)
}
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
validate patchJSON6902 (#4469) * validate patchJSON6902 Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> * validate patchJSON6902 Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> * test: validateJSON6902 tests Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> * validate patchJSON6902 Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> * test: validate patchJSON6902 Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> Signed-off-by: Shivansh Yadav <yadavshivansh@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
2022-10-17 20:55:03 +05:30
func Test_ValidateJSON6902(t *testing.T) {
var patch string = `- path: "/metadata/labels/img"
op: addition
value: "nginx"`
err := validateJSONPatch(patch, 0)
assert.Error(t, err, "Unexpected kind: spec.rules[0]: addition")
patch = `- path: "/metadata/labels/img"
op: add
value: "nginx"`
err = validateJSONPatch(patch, 0)
assert.NilError(t, err)
patch = `- path: "/metadata/labels/img"
op: add
value: nginx"`
err = validateJSONPatch(patch, 0)
assert.Error(t, err, `missing quote around value: spec.rules[0]: nginx"`)
patch = `- path: "/metadata/labels/img"
op: add
value: {"node.kubernetes.io/role": test"}`
err = validateJSONPatch(patch, 0)
assert.Error(t, err, `missing quote around value: spec.rules[0]: map[node.kubernetes.io/role:test"]`)
patch = `- path: "/metadata/labels/img"
op: add
value: "nginx"`
err = validateJSONPatch(patch, 0)
assert.NilError(t, err)
}
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
func Test_ValidateNamespace(t *testing.T) {
testcases := []struct {
description string
spec *kyverno.Spec
expectedError error
}{
{
description: "tc1",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
expectedError: errors.New("conflicting namespaces found in path: spec.validationFailureActionOverrides[1].namespaces: default"),
},
{
description: "tc2",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Mutation: kyverno.Mutation{
RawPatchStrategicMerge: &apiextv1.JSON{Raw: []byte(`"metadata": {"labels": {"app-name": "{{request.object.metadata.name}}"}}`)},
},
},
},
},
expectedError: errors.New("conflicting namespaces found in path: spec.validationFailureActionOverrides[1].namespaces: default"),
},
{
description: "tc3",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default*",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
expectedError: errors.New("path: spec.validationFailureActionOverrides[1].namespaces: wildcard pattern 'default*' matches with namespace 'default'"),
},
{
description: "tc4",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"*",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
expectedError: errors.New("path: spec.validationFailureActionOverrides[1].namespaces: wildcard pattern '*' matches with namespace 'default'"),
},
{
description: "tc5",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"?*",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
expectedError: errors.New("path: spec.validationFailureActionOverrides[1].namespaces: wildcard pattern '?*' matches with namespace 'default'"),
},
{
description: "tc6",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default?",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default1",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
expectedError: errors.New("path: spec.validationFailureActionOverrides[1].namespaces: wildcard pattern 'default?' matches with namespace 'default1'"),
},
{
description: "tc7",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default*",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"?*",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
expectedError: errors.New("path: spec.validationFailureActionOverrides[1].namespaces: wildcard pattern '?*' matches with namespace 'test'"),
},
{
description: "tc8",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"*",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"?*",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
expectedError: errors.New("path: spec.validationFailureActionOverrides[1].namespaces: wildcard pattern '?*' conflicts with the pattern '*'"),
},
{
description: "tc9",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default*",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
"test*",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
expectedError: errors.New("path: spec.validationFailureActionOverrides[1].namespaces: wildcard pattern 'test*' matches with namespace 'test'"),
},
{
description: "tc10",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"*efault",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
expectedError: errors.New("path: spec.validationFailureActionOverrides[1].namespaces: wildcard pattern '*efault' matches with namespace 'default'"),
},
{
description: "tc11",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default-*",
"test",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
},
{
description: "tc12",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default*?",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
"test*",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
},
{
description: "tc13",
spec: &kyverno.Spec{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
ValidationFailureAction: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Enforce",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default?",
},
},
{
refactor: support Audit and Enforce validation failure actions (#5152) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Action: "Audit",
fix: add policy validation for ValidationFailureActionOverride field (#4784) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
2022-10-06 11:46:12 +05:30
Namespaces: []string{
"default",
},
},
},
Rules: []kyverno.Rule{
{
Name: "require-labels",
MatchResources: kyverno.MatchResources{ResourceDescription: kyverno.ResourceDescription{Kinds: []string{"Pod"}}},
Validation: kyverno.Validation{
Message: "label 'app.kubernetes.io/name' is required",
RawPattern: &apiextv1.JSON{Raw: []byte(`"metadata": {"lables": {"app.kubernetes.io/name": "?*"}}`)},
},
},
},
},
},
}
for _, tc := range testcases {
t.Run(tc.description, func(t *testing.T) {
err := validateNamespaces(tc.spec, field.NewPath("spec").Child("validationFailureActionOverrides"))
if tc.expectedError != nil {
assert.Error(t, err, tc.expectedError.Error())
} else {
assert.NilError(t, err)
}
})
}
}
Copy permalink