2020-07-02 12:49:10 -07:00
|
|
|
package policycache
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"testing"
|
|
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
2022-03-28 16:01:27 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/autogen"
|
2023-03-13 15:44:39 +01:00
|
|
|
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
2020-07-02 12:49:10 -07:00
|
|
|
"gotest.tools/assert"
|
2022-05-16 18:36:19 +02:00
|
|
|
kubecache "k8s.io/client-go/tools/cache"
|
2020-07-02 12:49:10 -07:00
|
|
|
)
|
|
|
|
|
|
2023-03-13 15:44:39 +01:00
|
|
|
func setPolicy(t *testing.T, store store, policy kyvernov1.PolicyInterface, finder ResourceFinder) {
|
2022-05-16 18:36:19 +02:00
|
|
|
key, _ := kubecache.MetaNamespaceKeyFunc(policy)
|
2023-03-13 15:44:39 +01:00
|
|
|
err := store.set(key, policy, finder)
|
|
|
|
|
assert.NilError(t, err)
|
2022-05-16 18:36:19 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func unsetPolicy(store store, policy kyvernov1.PolicyInterface) {
|
|
|
|
|
key, _ := kubecache.MetaNamespaceKeyFunc(policy)
|
|
|
|
|
store.unset(key)
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-02 12:49:10 -07:00
|
|
|
func Test_All(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2020-07-02 12:49:10 -07:00
|
|
|
policy := newPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2021-05-07 00:32:06 +05:30
|
|
|
//add
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
2024-04-04 10:09:30 +02:00
|
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
2021-05-07 00:32:06 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-13 15:44:39 +01:00
|
|
|
// get
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := pCache.get(Mutate, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := pCache.get(Generate, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(generate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
}
|
|
|
|
|
}
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// remove
|
2022-05-16 18:36:19 +02:00
|
|
|
unsetPolicy(pCache, policy)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "")
|
2021-05-07 00:32:06 +05:30
|
|
|
assert.Assert(t, len(validateEnforce) == 0)
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Add_Duplicate_Policy(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2020-07-02 12:49:10 -07:00
|
|
|
policy := newPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2024-04-04 10:09:30 +02:00
|
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
2021-05-07 00:32:06 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := pCache.get(Mutate, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
2020-07-02 12:49:10 -07:00
|
|
|
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := pCache.get(Generate, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(generate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
}
|
|
|
|
|
}
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-09 11:48:34 -07:00
|
|
|
func Test_Add_Validate_Audit(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2020-07-09 11:48:34 -07:00
|
|
|
policy := newPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2020-07-09 11:48:34 -07:00
|
|
|
policy.Spec.ValidationFailureAction = "audit"
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2024-04-04 10:09:30 +02:00
|
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
2021-05-07 00:32:06 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(validateEnforce) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate (enforce) policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2020-07-09 11:48:34 -07:00
|
|
|
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit := pCache.get(ValidateAudit, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(validateAudit) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate (audit) policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
}
|
|
|
|
|
}
|
2020-07-09 11:48:34 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-13 20:29:39 -07:00
|
|
|
func Test_Add_Remove(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2020-07-13 20:29:39 -07:00
|
|
|
policy := newPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "")
|
2021-05-07 00:32:06 +05:30
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce))
|
2020-07-13 20:29:39 -07:00
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := pCache.get(Mutate, podsGVRS.GroupVersionResource(), "", "")
|
2021-07-29 01:29:53 +05:30
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := pCache.get(Generate, podsGVRS.GroupVersionResource(), "", "")
|
2021-07-29 10:44:31 +05:30
|
|
|
if len(generate) != 1 {
|
2021-07-29 01:29:53 +05:30
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
2022-05-16 18:36:19 +02:00
|
|
|
unsetPolicy(pCache, policy)
|
2023-03-21 14:28:00 +01:00
|
|
|
deletedValidateEnforce := pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "")
|
2021-07-29 01:29:53 +05:30
|
|
|
if len(deletedValidateEnforce) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate enforce policy, found %v", len(deletedValidateEnforce))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Add_Remove_Any(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2021-07-29 01:29:53 +05:30
|
|
|
policy := newAnyPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "")
|
2021-07-29 01:29:53 +05:30
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := pCache.get(Mutate, podsGVRS.GroupVersionResource(), "", "")
|
2021-07-29 01:29:53 +05:30
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := pCache.get(Generate, podsGVRS.GroupVersionResource(), "", "")
|
2021-07-29 10:44:31 +05:30
|
|
|
if len(generate) != 1 {
|
2021-07-29 01:29:53 +05:30
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
2022-05-16 18:36:19 +02:00
|
|
|
unsetPolicy(pCache, policy)
|
2023-03-21 14:28:00 +01:00
|
|
|
deletedValidateEnforce := pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "")
|
2021-05-07 00:32:06 +05:30
|
|
|
if len(deletedValidateEnforce) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate enforce policy, found %v", len(deletedValidateEnforce))
|
2020-07-13 20:29:39 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-02 12:49:10 -07:00
|
|
|
func Test_Remove_From_Empty_Cache(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2020-07-02 12:49:10 -07:00
|
|
|
policy := newPolicy(t)
|
2022-05-16 18:36:19 +02:00
|
|
|
unsetPolicy(pCache, policy)
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newPolicy(t *testing.T) *kyvernov1.ClusterPolicy {
|
2020-07-02 12:49:10 -07:00
|
|
|
rawPolicy := []byte(`{
|
2020-07-13 20:29:39 -07:00
|
|
|
"metadata": {
|
|
|
|
|
"name": "test-policy"
|
|
|
|
|
},
|
2020-07-02 12:49:10 -07:00
|
|
|
"spec": {
|
|
|
|
|
"validationFailureAction": "enforce",
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "deny-privileged-disallowpriviligedescalation",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
2021-05-07 00:32:06 +05:30
|
|
|
"Pod",
|
|
|
|
|
"Namespace"
|
2020-07-02 12:49:10 -07:00
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"deny": {
|
2021-03-02 10:01:06 +05:30
|
|
|
"conditions": {
|
2021-05-07 00:32:06 +05:30
|
|
|
"all": [
|
|
|
|
|
{
|
|
|
|
|
"key": "a",
|
|
|
|
|
"operator": "Equals",
|
|
|
|
|
"value": "a"
|
|
|
|
|
}
|
2021-03-02 10:01:06 +05:30
|
|
|
]
|
|
|
|
|
}
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "deny-privileged-disallowpriviligedescalation",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"image": "!*:latest"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "annotate-host-path",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
2021-05-07 00:32:06 +05:30
|
|
|
"Pod",
|
|
|
|
|
"Namespace"
|
2020-07-02 12:49:10 -07:00
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
2022-01-04 17:36:33 -08:00
|
|
|
"patchStrategicMerge": {
|
2020-07-02 12:49:10 -07:00
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "default-deny-ingress",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
2021-05-07 00:32:06 +05:30
|
|
|
"Namespace",
|
|
|
|
|
"Pod"
|
2020-07-02 12:49:10 -07:00
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"generate": {
|
|
|
|
|
"kind": "NetworkPolicy",
|
|
|
|
|
"name": "default-deny-ingress",
|
|
|
|
|
"namespace": "{{request.object.metadata.name}}",
|
|
|
|
|
"data": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"podSelector": {
|
|
|
|
|
},
|
|
|
|
|
"policyTypes": [
|
|
|
|
|
"Ingress"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.ClusterPolicy
|
2020-07-02 12:49:10 -07:00
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
return policy
|
|
|
|
|
}
|
2020-08-19 21:37:23 +05:30
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newAnyPolicy(t *testing.T) *kyvernov1.ClusterPolicy {
|
2021-07-29 01:29:53 +05:30
|
|
|
rawPolicy := []byte(`{
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "test-policy"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"validationFailureAction": "enforce",
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "deny-privileged-disallowpriviligedescalation",
|
|
|
|
|
"match": {
|
|
|
|
|
"any": [
|
|
|
|
|
{
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
],
|
|
|
|
|
"names": [
|
|
|
|
|
"dev"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
],
|
|
|
|
|
"namespaces": [
|
|
|
|
|
"prod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"deny": {
|
|
|
|
|
"conditions": {
|
|
|
|
|
"all": [
|
|
|
|
|
{
|
|
|
|
|
"key": "a",
|
|
|
|
|
"operator": "Equals",
|
|
|
|
|
"value": "a"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "deny-privileged-disallowpriviligedescalation",
|
|
|
|
|
"match": {
|
|
|
|
|
"all": [
|
|
|
|
|
{
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
],
|
|
|
|
|
"names": [
|
|
|
|
|
"dev"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
],
|
|
|
|
|
"namespaces": [
|
|
|
|
|
"prod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"image": "!*:latest"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "annotate-host-path",
|
|
|
|
|
"match": {
|
|
|
|
|
"any": [
|
|
|
|
|
{
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
],
|
|
|
|
|
"names": [
|
|
|
|
|
"dev"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
],
|
|
|
|
|
"namespaces": [
|
|
|
|
|
"prod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
2022-01-04 17:36:33 -08:00
|
|
|
"patchStrategicMerge": {
|
2021-07-29 01:29:53 +05:30
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "default-deny-ingress",
|
|
|
|
|
"match": {
|
|
|
|
|
"any": [
|
|
|
|
|
{
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
],
|
|
|
|
|
"names": [
|
|
|
|
|
"dev"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
],
|
|
|
|
|
"namespaces": [
|
|
|
|
|
"prod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"generate": {
|
|
|
|
|
"kind": "NetworkPolicy",
|
|
|
|
|
"name": "default-deny-ingress",
|
|
|
|
|
"namespace": "{{request.object.metadata.name}}",
|
|
|
|
|
"data": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"podSelector": {},
|
|
|
|
|
"policyTypes": [
|
|
|
|
|
"Ingress"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.ClusterPolicy
|
2021-07-29 01:29:53 +05:30
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
return policy
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newNsPolicy(t *testing.T) kyvernov1.PolicyInterface {
|
2020-08-19 21:37:23 +05:30
|
|
|
rawPolicy := []byte(`{
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "test-policy",
|
|
|
|
|
"namespace": "test"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"validationFailureAction": "enforce",
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "deny-privileged-disallowpriviligedescalation",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"deny": {
|
2021-03-02 10:01:06 +05:30
|
|
|
"conditions": {
|
|
|
|
|
"all": [
|
|
|
|
|
{
|
|
|
|
|
"key": "a",
|
|
|
|
|
"operator": "Equals",
|
|
|
|
|
"value": "a"
|
|
|
|
|
}
|
|
|
|
|
]
|
2023-03-13 15:44:39 +01:00
|
|
|
}
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "deny-privileged-disallowpriviligedescalation",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"image": "!*:latest"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "annotate-host-path",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
2022-01-04 17:36:33 -08:00
|
|
|
"patchStrategicMerge": {
|
2020-08-19 21:37:23 +05:30
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "default-deny-ingress",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
2021-05-07 00:32:06 +05:30
|
|
|
"Pod"
|
2020-08-19 21:37:23 +05:30
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"generate": {
|
|
|
|
|
"kind": "NetworkPolicy",
|
|
|
|
|
"name": "default-deny-ingress",
|
|
|
|
|
"namespace": "{{request.object.metadata.name}}",
|
|
|
|
|
"data": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"podSelector": {
|
|
|
|
|
},
|
|
|
|
|
"policyTypes": [
|
|
|
|
|
"Ingress"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.Policy
|
2020-08-19 21:37:23 +05:30
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
2022-03-30 16:28:09 +02:00
|
|
|
return policy
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
|
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newGVKPolicy(t *testing.T) *kyvernov1.ClusterPolicy {
|
2021-05-12 01:15:34 +05:30
|
|
|
rawPolicy := []byte(`{
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "add-networkpolicy1",
|
|
|
|
|
"annotations": {
|
|
|
|
|
"policies.kyverno.io/category": "Workload Management"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"validationFailureAction": "enforce",
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "default-deny-ingress",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"rbac.authorization.k8s.io/v1beta1/ClusterRole"
|
|
|
|
|
],
|
|
|
|
|
"name": "*"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"exclude": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"namespaces": [
|
|
|
|
|
"kube-system",
|
|
|
|
|
"default",
|
|
|
|
|
"kube-public",
|
|
|
|
|
"kyverno"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"generate": {
|
|
|
|
|
"kind": "NetworkPolicy",
|
|
|
|
|
"name": "default-deny-ingress",
|
|
|
|
|
"namespace": "default",
|
|
|
|
|
"synchronize": true,
|
|
|
|
|
"data": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"podSelector": {},
|
|
|
|
|
"policyTypes": [
|
|
|
|
|
"Ingress"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.ClusterPolicy
|
2021-05-12 01:15:34 +05:30
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
return policy
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newUserTestPolicy(t *testing.T) kyvernov1.PolicyInterface {
|
2021-05-12 01:15:34 +05:30
|
|
|
rawPolicy := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "Policy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "require-dep-purpose-label",
|
|
|
|
|
"namespace": "default"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"validationFailureAction": "enforce",
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "require-dep-purpose-label",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Deployment"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"message": "You must have label purpose with value production set on all new Deployment.",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"purpose": "production"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.Policy
|
2021-05-12 01:15:34 +05:30
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
2022-03-30 16:28:09 +02:00
|
|
|
return policy
|
2021-05-12 01:15:34 +05:30
|
|
|
}
|
|
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newGeneratePolicy(t *testing.T) *kyvernov1.ClusterPolicy {
|
2021-07-01 00:50:21 +05:30
|
|
|
rawPolicy := []byte(`{
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "add-networkpolicy",
|
|
|
|
|
"annotations": {
|
|
|
|
|
"policies.kyverno.io/title": "Add Network Policy",
|
|
|
|
|
"policies.kyverno.io/category": "Multi-Tenancy",
|
|
|
|
|
"policies.kyverno.io/subject": "NetworkPolicy"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"validationFailureAction": "audit",
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "default-deny",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Namespace"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"generate": {
|
|
|
|
|
"kind": "NetworkPolicy",
|
|
|
|
|
"name": "default-deny",
|
|
|
|
|
"namespace": "{{request.object.metadata.name}}",
|
|
|
|
|
"synchronize": true,
|
|
|
|
|
"data": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"podSelector": {},
|
|
|
|
|
"policyTypes": [
|
|
|
|
|
"Ingress",
|
|
|
|
|
"Egress"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.ClusterPolicy
|
2021-07-01 00:50:21 +05:30
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
return policy
|
|
|
|
|
}
|
2023-03-13 15:44:39 +01:00
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newMutatePolicy(t *testing.T) *kyvernov1.ClusterPolicy {
|
2021-07-01 00:50:21 +05:30
|
|
|
rawPolicy := []byte(`{
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "logger-sidecar"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"background": false,
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"StatefulSet"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
|
|
|
|
"patchesJson6902": "- op: add\n path: /spec/template/spec/containers/-1\n value: {\"name\": \"logger\", \"image\": \"nginx\"}\n- op: add\n path: /spec/template/spec/volumes/-1\n value: {\"name\": \"logs\",\"emptyDir\": {\"medium\": \"Memory\"}}\n- op: add\n path: /spec/template/spec/containers/0/volumeMounts/-1\n value: {\"mountPath\": \"/opt/app/logs\",\"name\": \"logs\"}"
|
|
|
|
|
},
|
|
|
|
|
"name": "logger-sidecar",
|
|
|
|
|
"preconditions": [
|
|
|
|
|
{
|
|
|
|
|
"key": "{{ request.object.spec.template.metadata.annotations.\"logger.k8s/inject\"}}",
|
|
|
|
|
"operator": "Equals",
|
|
|
|
|
"value": "true"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"key": "logger",
|
|
|
|
|
"operator": "NotIn",
|
|
|
|
|
"value": "{{ request.object.spec.template.spec.containers[].name }}"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"validationFailureAction": "audit"
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.ClusterPolicy
|
2021-07-01 00:50:21 +05:30
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
return policy
|
|
|
|
|
}
|
2023-03-13 15:44:39 +01:00
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newNsMutatePolicy(t *testing.T) kyvernov1.PolicyInterface {
|
2021-07-01 00:50:21 +05:30
|
|
|
rawPolicy := []byte(`{
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "logger-sidecar",
|
|
|
|
|
"namespace": "logger"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"background": false,
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"StatefulSet"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
|
|
|
|
"patchesJson6902": "- op: add\n path: /spec/template/spec/containers/-1\n value: {\"name\": \"logger\", \"image\": \"nginx\"}\n- op: add\n path: /spec/template/spec/volumes/-1\n value: {\"name\": \"logs\",\"emptyDir\": {\"medium\": \"Memory\"}}\n- op: add\n path: /spec/template/spec/containers/0/volumeMounts/-1\n value: {\"mountPath\": \"/opt/app/logs\",\"name\": \"logs\"}"
|
|
|
|
|
},
|
|
|
|
|
"name": "logger-sidecar",
|
|
|
|
|
"preconditions": [
|
|
|
|
|
{
|
|
|
|
|
"key": "{{ request.object.spec.template.metadata.annotations.\"logger.k8s/inject\"}}",
|
|
|
|
|
"operator": "Equals",
|
|
|
|
|
"value": "true"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"key": "logger",
|
|
|
|
|
"operator": "NotIn",
|
|
|
|
|
"value": "{{ request.object.spec.template.spec.containers[].name }}"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"validationFailureAction": "audit"
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.Policy
|
2021-07-01 00:50:21 +05:30
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
2022-03-30 16:28:09 +02:00
|
|
|
return policy
|
2021-07-01 00:50:21 +05:30
|
|
|
}
|
|
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newValidateAuditPolicy(t *testing.T) *kyvernov1.ClusterPolicy {
|
2022-01-21 18:06:44 +05:30
|
|
|
rawPolicy := []byte(`{
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "check-label-app-audit"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"background": false,
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"name": "check-label-app",
|
|
|
|
|
"validate": {
|
|
|
|
|
"message": "The label 'app' is required.",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "?*"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"validationFailureAction": "audit",
|
|
|
|
|
"validationFailureActionOverrides": [
|
|
|
|
|
{
|
|
|
|
|
"action": "enforce",
|
|
|
|
|
"namespaces": [
|
|
|
|
|
"default"
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"action": "audit",
|
|
|
|
|
"namespaces": [
|
|
|
|
|
"test"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.ClusterPolicy
|
2022-01-21 18:06:44 +05:30
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
return policy
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-16 18:36:19 +02:00
|
|
|
func newValidateEnforcePolicy(t *testing.T) *kyvernov1.ClusterPolicy {
|
2022-01-21 18:06:44 +05:30
|
|
|
rawPolicy := []byte(`{
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "check-label-app-enforce"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"background": false,
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"name": "check-label-app",
|
|
|
|
|
"validate": {
|
|
|
|
|
"message": "The label 'app' is required.",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "?*"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"validationFailureAction": "enforce",
|
|
|
|
|
"validationFailureActionOverrides": [
|
|
|
|
|
{
|
|
|
|
|
"action": "enforce",
|
|
|
|
|
"namespaces": [
|
|
|
|
|
"default"
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"action": "audit",
|
|
|
|
|
"namespaces": [
|
|
|
|
|
"test"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2022-05-16 18:36:19 +02:00
|
|
|
var policy *kyvernov1.ClusterPolicy
|
2022-01-21 18:06:44 +05:30
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
return policy
|
|
|
|
|
}
|
|
|
|
|
|
2020-08-19 21:37:23 +05:30
|
|
|
func Test_Ns_All(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2020-08-19 21:37:23 +05:30
|
|
|
policy := newNsPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2021-05-07 00:32:06 +05:30
|
|
|
//add
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
2020-08-19 21:37:23 +05:30
|
|
|
nspace := policy.GetNamespace()
|
2024-09-11 03:32:10 +02:00
|
|
|
rules := autogen.ComputeRules(policy, "")
|
|
|
|
|
for _, rule := range rules {
|
2021-05-07 00:32:06 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-13 15:44:39 +01:00
|
|
|
// get
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := pCache.get(Mutate, gvr.GroupVersionResource(), gvr.SubResource, nspace)
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, gvr.GroupVersionResource(), gvr.SubResource, nspace)
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := pCache.get(Generate, gvr.GroupVersionResource(), gvr.SubResource, nspace)
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(generate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
}
|
|
|
|
|
}
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
|
|
|
|
// remove
|
2022-05-16 18:36:19 +02:00
|
|
|
unsetPolicy(pCache, policy)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", nspace)
|
2021-05-07 00:32:06 +05:30
|
|
|
assert.Assert(t, len(validateEnforce) == 0)
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Ns_Add_Duplicate_Policy(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2020-08-19 21:37:23 +05:30
|
|
|
policy := newNsPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2020-08-19 21:37:23 +05:30
|
|
|
nspace := policy.GetNamespace()
|
2024-04-04 10:09:30 +02:00
|
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
2021-05-07 00:32:06 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := pCache.get(Mutate, gvr.GroupVersionResource(), gvr.SubResource, nspace)
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, gvr.GroupVersionResource(), gvr.SubResource, nspace)
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := pCache.get(Generate, gvr.GroupVersionResource(), gvr.SubResource, nspace)
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(generate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
}
|
|
|
|
|
}
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Ns_Add_Validate_Audit(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2020-08-19 21:37:23 +05:30
|
|
|
policy := newNsPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2021-05-07 00:32:06 +05:30
|
|
|
nspace := policy.GetNamespace()
|
2022-03-30 16:28:09 +02:00
|
|
|
policy.GetSpec().ValidationFailureAction = "audit"
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2024-04-04 10:09:30 +02:00
|
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
2021-05-07 00:32:06 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, gvr.GroupVersionResource(), gvr.SubResource, nspace)
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(validateEnforce) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate (enforce) policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2020-08-19 21:37:23 +05:30
|
|
|
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit := pCache.get(ValidateAudit, gvr.GroupVersionResource(), gvr.SubResource, nspace)
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(validateAudit) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate (audit) policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
}
|
|
|
|
|
}
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Ns_Add_Remove(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2020-08-19 21:37:23 +05:30
|
|
|
policy := newNsPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2020-08-19 21:37:23 +05:30
|
|
|
nspace := policy.GetNamespace()
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", nspace)
|
2021-05-07 00:32:06 +05:30
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce))
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
2022-05-16 18:36:19 +02:00
|
|
|
unsetPolicy(pCache, policy)
|
2023-03-21 14:28:00 +01:00
|
|
|
deletedValidateEnforce := pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", nspace)
|
2021-05-07 00:32:06 +05:30
|
|
|
if len(deletedValidateEnforce) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate enforce policy, found %v", len(deletedValidateEnforce))
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
|
|
|
|
}
|
2021-05-12 01:15:34 +05:30
|
|
|
|
|
|
|
|
func Test_GVk_Cache(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2021-05-12 01:15:34 +05:30
|
|
|
policy := newGVKPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2021-05-12 01:15:34 +05:30
|
|
|
//add
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
2024-04-04 10:09:30 +02:00
|
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
2021-05-12 01:15:34 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := pCache.get(Generate, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(generate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
2021-05-12 01:15:34 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_GVK_Add_Remove(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2021-05-12 01:15:34 +05:30
|
|
|
policy := newGVKPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := pCache.get(Generate, clusterrolesGVRS.GroupVersionResource(), "", "")
|
2021-05-12 01:15:34 +05:30
|
|
|
if len(generate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
2022-05-16 18:36:19 +02:00
|
|
|
unsetPolicy(pCache, policy)
|
2023-03-21 14:28:00 +01:00
|
|
|
deletedGenerate := pCache.get(Generate, clusterrolesGVRS.GroupVersionResource(), "", "")
|
2021-05-12 01:15:34 +05:30
|
|
|
if len(deletedGenerate) != 0 {
|
|
|
|
|
t.Errorf("expected 0 generate policy, found %v", len(deletedGenerate))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Add_Validate_Enforce(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2021-05-12 01:15:34 +05:30
|
|
|
policy := newUserTestPolicy(t)
|
|
|
|
|
nspace := policy.GetNamespace()
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2021-05-12 01:15:34 +05:30
|
|
|
//add
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
2024-04-04 10:09:30 +02:00
|
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
2021-05-12 01:15:34 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, gvr.GroupVersionResource(), gvr.SubResource, nspace)
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2021-05-12 01:15:34 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Ns_Add_Remove_User(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2021-05-12 01:15:34 +05:30
|
|
|
policy := newUserTestPolicy(t)
|
|
|
|
|
nspace := policy.GetNamespace()
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
|
|
|
|
// kind := "Deployment"
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, deploymentsGVRS.GroupVersionResource(), "", nspace)
|
2021-05-12 01:15:34 +05:30
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2022-05-16 18:36:19 +02:00
|
|
|
unsetPolicy(pCache, policy)
|
2023-03-21 14:28:00 +01:00
|
|
|
deletedValidateEnforce := pCache.get(ValidateEnforce, deploymentsGVRS.GroupVersionResource(), "", nspace)
|
2021-05-12 01:15:34 +05:30
|
|
|
if len(deletedValidateEnforce) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate enforce policy, found %v", len(deletedValidateEnforce))
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-07-01 00:50:21 +05:30
|
|
|
|
|
|
|
|
func Test_Mutate_Policy(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2021-07-01 00:50:21 +05:30
|
|
|
policy := newMutatePolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2021-07-01 00:50:21 +05:30
|
|
|
//add
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
2024-04-04 10:09:30 +02:00
|
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
2021-07-01 00:50:21 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-13 15:44:39 +01:00
|
|
|
// get
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := pCache.get(Mutate, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
2021-07-01 00:50:21 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Generate_Policy(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
|
|
|
|
policy := newGeneratePolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2021-07-01 00:50:21 +05:30
|
|
|
//add
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
2024-04-04 10:09:30 +02:00
|
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
2021-07-01 00:50:21 +05:30
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
2023-03-13 15:44:39 +01:00
|
|
|
group, version, kind, subresource := kubeutils.ParseKindSelector(kind)
|
|
|
|
|
gvrs, err := finder.FindResources(group, version, kind, subresource)
|
|
|
|
|
assert.NilError(t, err)
|
2023-03-17 12:21:26 +01:00
|
|
|
for gvr := range gvrs {
|
2023-03-13 15:44:39 +01:00
|
|
|
// get
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := pCache.get(Generate, gvr.GroupVersionResource(), gvr.SubResource, "")
|
2023-03-13 15:44:39 +01:00
|
|
|
if len(generate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
2021-07-01 00:50:21 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_NsMutate_Policy(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2021-07-01 00:50:21 +05:30
|
|
|
policy := newMutatePolicy(t)
|
|
|
|
|
nspolicy := newNsMutatePolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2021-07-01 00:50:21 +05:30
|
|
|
//add
|
2023-03-13 15:44:39 +01:00
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, nspolicy, finder)
|
|
|
|
|
setPolicy(t, pCache, policy, finder)
|
|
|
|
|
setPolicy(t, pCache, nspolicy, finder)
|
2021-07-01 00:50:21 +05:30
|
|
|
nspace := policy.GetNamespace()
|
|
|
|
|
// get
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := pCache.get(Mutate, statefulsetsGVRS.GroupVersionResource(), "", "")
|
2021-07-01 00:50:21 +05:30
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
|
|
|
|
// get
|
2023-03-21 14:28:00 +01:00
|
|
|
nsMutate := pCache.get(Mutate, statefulsetsGVRS.GroupVersionResource(), "", nspace)
|
2021-07-01 00:50:21 +05:30
|
|
|
if len(nsMutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 namespace mutate policy, found %v", len(nsMutate))
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-01-21 18:06:44 +05:30
|
|
|
|
|
|
|
|
func Test_Validate_Enforce_Policy(t *testing.T) {
|
2022-05-16 09:56:16 +02:00
|
|
|
pCache := newPolicyCache()
|
2022-01-21 18:06:44 +05:30
|
|
|
policy1 := newValidateAuditPolicy(t)
|
|
|
|
|
policy2 := newValidateEnforcePolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
|
|
|
|
setPolicy(t, pCache, policy1, finder)
|
|
|
|
|
setPolicy(t, pCache, policy2, finder)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "")
|
2022-01-21 18:06:44 +05:30
|
|
|
if len(validateEnforce) != 2 {
|
|
|
|
|
t.Errorf("adding: expected 2 validate enforce policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit := pCache.get(ValidateAudit, podsGVRS.GroupVersionResource(), "", "")
|
2022-01-21 18:06:44 +05:30
|
|
|
if len(validateAudit) != 0 {
|
|
|
|
|
t.Errorf("adding: expected 0 validate audit policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
2022-05-16 18:36:19 +02:00
|
|
|
unsetPolicy(pCache, policy1)
|
|
|
|
|
unsetPolicy(pCache, policy2)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce = pCache.get(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "")
|
2022-01-21 18:06:44 +05:30
|
|
|
if len(validateEnforce) != 0 {
|
|
|
|
|
t.Errorf("removing: expected 0 validate enforce policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit = pCache.get(ValidateAudit, podsGVRS.GroupVersionResource(), "", "")
|
2022-01-21 18:06:44 +05:30
|
|
|
if len(validateAudit) != 0 {
|
|
|
|
|
t.Errorf("removing: expected 0 validate audit policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-10-13 13:29:10 +05:30
|
|
|
|
|
|
|
|
func Test_Get_Policies(t *testing.T) {
|
|
|
|
|
cache := NewCache()
|
|
|
|
|
policy := newPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2022-10-13 13:29:10 +05:30
|
|
|
key, _ := kubecache.MetaNamespaceKeyFunc(policy)
|
2023-03-13 15:44:39 +01:00
|
|
|
cache.Set(key, policy, finder)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit := cache.GetPolicies(ValidateAudit, namespacesGVRS.GroupVersionResource(), "", "")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateAudit) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate audit policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit = cache.GetPolicies(ValidateAudit, podsGVRS.GroupVersionResource(), "", "test")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateAudit) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate audit policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := cache.GetPolicies(ValidateEnforce, namespacesGVRS.GroupVersionResource(), "", "")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := cache.GetPolicies(Mutate, podsGVRS.GroupVersionResource(), "", "")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := cache.GetPolicies(Generate, podsGVRS.GroupVersionResource(), "", "")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(generate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Get_Policies_Ns(t *testing.T) {
|
|
|
|
|
cache := NewCache()
|
|
|
|
|
policy := newNsPolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2022-10-13 13:29:10 +05:30
|
|
|
key, _ := kubecache.MetaNamespaceKeyFunc(policy)
|
2023-03-13 15:44:39 +01:00
|
|
|
cache.Set(key, policy, finder)
|
2022-10-13 13:29:10 +05:30
|
|
|
nspace := policy.GetNamespace()
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit := cache.GetPolicies(ValidateAudit, podsGVRS.GroupVersionResource(), "", nspace)
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateAudit) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate audit policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := cache.GetPolicies(ValidateEnforce, podsGVRS.GroupVersionResource(), "", nspace)
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
mutate := cache.GetPolicies(Mutate, podsGVRS.GroupVersionResource(), "", nspace)
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(mutate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
generate := cache.GetPolicies(Generate, podsGVRS.GroupVersionResource(), "", nspace)
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(generate) != 1 {
|
|
|
|
|
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Get_Policies_Validate_Failure_Action_Overrides(t *testing.T) {
|
|
|
|
|
cache := NewCache()
|
|
|
|
|
policy1 := newValidateAuditPolicy(t)
|
|
|
|
|
policy2 := newValidateEnforcePolicy(t)
|
2023-03-13 15:44:39 +01:00
|
|
|
finder := TestResourceFinder{}
|
2022-10-13 13:29:10 +05:30
|
|
|
key1, _ := kubecache.MetaNamespaceKeyFunc(policy1)
|
2023-03-13 15:44:39 +01:00
|
|
|
cache.Set(key1, policy1, finder)
|
2022-10-13 13:29:10 +05:30
|
|
|
key2, _ := kubecache.MetaNamespaceKeyFunc(policy2)
|
2023-03-13 15:44:39 +01:00
|
|
|
cache.Set(key2, policy2, finder)
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit := cache.GetPolicies(ValidateAudit, podsGVRS.GroupVersionResource(), "", "")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateAudit) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate audit policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce := cache.GetPolicies(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateEnforce) != 1 {
|
|
|
|
|
t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit = cache.GetPolicies(ValidateAudit, podsGVRS.GroupVersionResource(), "", "test")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateAudit) != 2 {
|
|
|
|
|
t.Errorf("expected 2 validate audit policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce = cache.GetPolicies(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "test")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateEnforce) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate enforce policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateAudit = cache.GetPolicies(ValidateAudit, podsGVRS.GroupVersionResource(), "", "default")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateAudit) != 0 {
|
|
|
|
|
t.Errorf("expected 0 validate audit policy, found %v", len(validateAudit))
|
|
|
|
|
}
|
2023-03-21 14:28:00 +01:00
|
|
|
validateEnforce = cache.GetPolicies(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "default")
|
2022-10-13 13:29:10 +05:30
|
|
|
if len(validateEnforce) != 2 {
|
|
|
|
|
t.Errorf("expected 2 validate enforce policy, found %v", len(validateEnforce))
|
|
|
|
|
}
|
|
|
|
|
}
|
