2021-04-09 01:14:08 +02:00
package mutate
2021-09-09 18:55:20 +03:00
import (
2022-02-23 15:52:08 +00:00
"github.com/blang/semver/v4"
"github.com/kyverno/kyverno/test/e2e/common"
2021-09-09 18:55:20 +03:00
"k8s.io/apimachinery/pkg/runtime/schema"
)
2021-04-09 01:14:08 +02:00
// MutateTests is E2E Test Config for mutation
var MutateTests = [ ] struct {
//TestName - Name of the Test
TestName string
// Data - The Yaml file of the ClusterPolicy
Data [ ] byte
2021-06-03 00:18:28 +05:30
// ResourceNamespace - Namespace of the Resource
ResourceNamespace string
2021-06-21 21:35:43 +05:30
// PolicyName - Name of the Policy
PolicyName string
2021-04-09 01:14:08 +02:00
} {
{
2021-06-03 00:18:28 +05:30
TestName : "test-mutate-with-context" ,
Data : configMapMutationYaml ,
ResourceNamespace : "test-mutate" ,
2021-06-21 21:35:43 +05:30
PolicyName : "mutate-policy" ,
2021-04-09 01:14:08 +02:00
} ,
{
2021-06-03 00:18:28 +05:30
TestName : "test-mutate-with-logic-in-context" ,
Data : configMapMutationWithContextLogicYaml ,
ResourceNamespace : "test-mutate" ,
2021-06-21 21:35:43 +05:30
PolicyName : "mutate-policy" ,
2021-04-09 01:14:08 +02:00
} ,
2021-04-26 23:02:52 +02:00
{
2021-06-03 00:18:28 +05:30
TestName : "test-mutate-with-context-label-selection" ,
Data : configMapMutationWithContextLabelSelectionYaml ,
ResourceNamespace : "test-mutate" ,
2021-06-21 21:35:43 +05:30
PolicyName : "mutate-policy" ,
2021-04-26 23:02:52 +02:00
} ,
2021-04-09 01:14:08 +02:00
}
2021-05-13 12:03:13 -07:00
2021-09-09 18:55:20 +03:00
// Note: sometimes deleting namespaces takes time.
// Using different names for namespaces prevents collisions.
var tests = [ ] struct {
//TestDescription - Description of the Test
TestDescription string
// PolicyName - Name of the Policy
PolicyName string
// PolicyRaw - The Yaml file of the ClusterPolicy
PolicyRaw [ ] byte
// ResourceName - Name of the Resource
ResourceName string
// ResourceNamespace - Namespace of the Resource
ResourceNamespace string
// ResourceGVR - GVR of the Resource
ResourceGVR schema . GroupVersionResource
// ResourceRaw - The Yaml file of the ClusterPolicy
ResourceRaw [ ] byte
// ExpectedPatternRaw - The Yaml file that contains validate pattern for the expected result
// This is not the final result. It is just used to validate the result from the engine.
ExpectedPatternRaw [ ] byte
} {
{
TestDescription : "checks that runAsNonRoot is added to security context and containers elements security context" ,
PolicyName : "set-runasnonroot-true" ,
PolicyRaw : setRunAsNonRootTrue ,
ResourceName : "foo" ,
ResourceNamespace : "test-mutate" ,
ResourceGVR : podGVR ,
ResourceRaw : podWithContainers ,
ExpectedPatternRaw : podWithContainersPattern ,
} ,
{
TestDescription : "checks that runAsNonRoot is added to security context and containers elements security context and initContainers elements security context" ,
PolicyName : "set-runasnonroot-true" ,
PolicyRaw : setRunAsNonRootTrue ,
ResourceName : "foo" ,
ResourceNamespace : "test-mutate1" ,
ResourceGVR : podGVR ,
ResourceRaw : podWithContainersAndInitContainers ,
ExpectedPatternRaw : podWithContainersAndInitContainersPattern ,
} ,
2021-09-11 00:08:47 +03:00
{
TestDescription : "checks that variables in the keys are working correctly" ,
PolicyName : "structured-logs-sidecar" ,
PolicyRaw : kyverno_2316_policy ,
ResourceName : "busybox" ,
ResourceNamespace : "test-mutate2" ,
ResourceGVR : deploymentGVR ,
ResourceRaw : kyverno_2316_resource ,
ExpectedPatternRaw : kyverno_2316_pattern ,
} ,
2022-02-10 10:48:26 +05:30
{
TestDescription : "checks that policy mutate env variables of an array with specific index numbers" ,
PolicyName : "add-image-as-env-var" ,
PolicyRaw : kyverno_mutate_json_patch ,
ResourceName : "foo" ,
ResourceNamespace : "test-mutate-env-array" ,
ResourceGVR : podGVR ,
ResourceRaw : podWithEnvVar ,
ExpectedPatternRaw : podWithEnvVarPattern ,
} ,
2022-01-16 05:33:34 +00:00
{
TestDescription : "checks that preconditions are substituted correctly" ,
PolicyName : "replace-docker-hub" ,
PolicyRaw : kyverno_2971_policy ,
ResourceName : "nginx" ,
2022-02-23 15:52:08 +00:00
ResourceNamespace : "test-mutate-img" ,
2022-01-16 05:33:34 +00:00
ResourceGVR : podGVR ,
ResourceRaw : kyverno_2971_resource ,
ExpectedPatternRaw : kyverno_2971_pattern ,
} ,
2022-03-14 14:45:06 +05:30
{
TestDescription : "checks the global anchor variables for emptyDir" ,
PolicyName : "add-safe-to-evict" ,
PolicyRaw : annotate_host_path_policy ,
ResourceName : "pod-with-emptydir" ,
ResourceNamespace : "emptydir" ,
ResourceGVR : podGVR ,
ResourceRaw : podWithEmptyDirAsVolume ,
ExpectedPatternRaw : podWithVolumePattern ,
} ,
{
TestDescription : "checks the global anchor variables for hostPath" ,
PolicyName : "add-safe-to-evict" ,
PolicyRaw : annotate_host_path_policy ,
ResourceName : "pod-with-hostpath" ,
ResourceNamespace : "hostpath" ,
ResourceGVR : podGVR ,
ResourceRaw : podWithHostPathAsVolume ,
ExpectedPatternRaw : podWithVolumePattern ,
} ,
2021-09-09 18:55:20 +03:00
}
2021-05-13 12:03:13 -07:00
var ingressTests = struct {
2022-02-23 15:52:08 +00:00
testNamespace string
2021-05-13 12:03:13 -07:00
cpol [ ] byte
2021-06-21 21:35:43 +05:30
policyName string
2021-05-13 12:03:13 -07:00
tests [ ] struct {
testName string
group , version , rsc , resourceName string
resource [ ] byte
2022-02-23 15:52:08 +00:00
skip bool
2021-05-13 12:03:13 -07:00
}
} {
2022-02-23 15:52:08 +00:00
testNamespace : "test-ingress" ,
2021-05-13 12:03:13 -07:00
cpol : mutateIngressCpol ,
2021-06-21 21:35:43 +05:30
policyName : "mutate-ingress-host" ,
2021-05-13 12:03:13 -07:00
tests : [ ] struct {
testName string
group , version , rsc , resourceName string
resource [ ] byte
2022-02-23 15:52:08 +00:00
skip bool
2021-05-13 12:03:13 -07:00
} {
{
testName : "test-networking-v1-ingress" ,
group : "networking.k8s.io" ,
version : "v1" ,
rsc : "ingresses" ,
resourceName : "kuard-v1" ,
resource : ingressNetworkingV1 ,
2022-02-23 15:52:08 +00:00
skip : common . GetKubernetesVersion ( ) . LT ( semver . MustParse ( "1.19.0" ) ) ,
2021-05-13 12:03:13 -07:00
} ,
2021-12-09 20:34:06 -08:00
// the following test can be removed after 1.22 cluster
2021-05-13 12:03:13 -07:00
{
testName : "test-networking-v1beta1-ingress" ,
group : "networking.k8s.io" ,
version : "v1beta1" ,
rsc : "ingresses" ,
resourceName : "kuard-v1beta1" ,
resource : ingressNetworkingV1beta1 ,
2022-02-23 15:52:08 +00:00
skip : common . GetKubernetesVersion ( ) . GTE ( semver . MustParse ( "1.22.0" ) ) ,
2021-05-13 12:03:13 -07:00
} ,
} ,
}
2022-04-28 03:44:52 +08:00
type mutateExistingOperation string
const (
createTrigger mutateExistingOperation = "createTrigger"
deleteTrigger mutateExistingOperation = "deleteTrigger"
createPolicy mutateExistingOperation = "createPolicy"
)
// Note: sometimes deleting namespaces takes time.
// Using different names for namespaces prevents collisions.
var mutateExistingTests = [ ] struct {
// TestDescription - Description of the Test
TestDescription string
// Operation describes how to trigger the policy
Operation mutateExistingOperation
// PolicyName - Name of the Policy
PolicyName string
// PolicyRaw - The Yaml file of the ClusterPolicy
PolicyRaw [ ] byte
// TriggerName - Name of the Trigger Resource
TriggerName string
// TriggerNamespace - Namespace of the Trigger Resource
TriggerNamespace string
// TriggerGVR - GVR of the Trigger Resource
TriggerGVR schema . GroupVersionResource
// TriggerRaw - The Yaml file of the Trigger Resource
TriggerRaw [ ] byte
// TargetName - Name of the Target Resource
TargetName string
// TargetNamespace - Namespace of the Target Resource
TargetNamespace string
// TargetGVR - GVR of the Target Resource
TargetGVR schema . GroupVersionResource
// TargetRaw - The Yaml file of the Target ClusterPolicy
TargetRaw [ ] byte
// ExpectedTargetRaw - The Yaml file that contains validate pattern for the expected result
// This is not the final result. It is just used to validate the result from the engine.
ExpectedTargetRaw [ ] byte
} {
{
TestDescription : "mutate existing on resource creation" ,
Operation : createTrigger ,
PolicyName : "test-post-mutation-create-trigger" ,
PolicyRaw : policyCreateTrigger ,
TriggerName : "dictionary-1" ,
TriggerNamespace : "staging-1" ,
TriggerGVR : configmGVR ,
TriggerRaw : triggerCreateTrigger ,
TargetName : "test-secret-1" ,
TargetNamespace : "staging-1" ,
TargetGVR : secretGVR ,
TargetRaw : targetCreateTrigger ,
ExpectedTargetRaw : expectedTargetCreateTrigger ,
} ,
{
TestDescription : "mutate existing on resource deletion" ,
Operation : deleteTrigger ,
PolicyName : "test-post-mutation-delete-trigger" ,
PolicyRaw : policyDeleteTrigger ,
TriggerName : "dictionary-2" ,
TriggerNamespace : "staging-2" ,
TriggerGVR : configmGVR ,
TriggerRaw : triggerDeleteTrigger ,
TargetName : "test-secret-2" ,
TargetNamespace : "staging-2" ,
TargetGVR : secretGVR ,
TargetRaw : targetDeleteTrigger ,
ExpectedTargetRaw : expectedTargetDeleteTrigger ,
} ,
{
TestDescription : "mutate existing on policy creation" ,
Operation : createPolicy ,
PolicyName : "test-post-mutation-create-policy" ,
PolicyRaw : policyCreatePolicy ,
TriggerName : "dictionary-3" ,
TriggerNamespace : "staging-3" ,
TriggerGVR : configmGVR ,
TriggerRaw : triggerCreatePolicy ,
TargetName : "test-secret-3" ,
TargetNamespace : "staging-3" ,
TargetGVR : secretGVR ,
TargetRaw : targetCreatePolicy ,
ExpectedTargetRaw : expectedTargetCreatePolicy ,
} ,
{
TestDescription : "mutate existing (patchesJson6902) on resource creation" ,
Operation : createTrigger ,
PolicyName : "test-post-mutation-json-patch-create-trigger" ,
PolicyRaw : policyCreateTriggerJsonPatch ,
TriggerName : "dictionary-4" ,
TriggerNamespace : "staging-4" ,
TriggerGVR : configmGVR ,
TriggerRaw : triggerCreateTriggerJsonPatch ,
TargetName : "test-secret-4" ,
TargetNamespace : "staging-4" ,
TargetGVR : secretGVR ,
TargetRaw : targetCreateTriggerJsonPatch ,
ExpectedTargetRaw : expectedCreateTriggerJsonPatch ,
} ,
}
