2020-10-16 16:27:04 -07:00
|
|
|
package apply
|
|
|
|
|
|
|
|
|
|
import (
|
2021-09-02 02:24:04 +05:30
|
|
|
"encoding/json"
|
2020-10-16 16:27:04 -07:00
|
|
|
"testing"
|
|
|
|
|
|
2021-10-29 18:13:20 +02:00
|
|
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
|
|
|
preport "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
2023-01-30 12:41:09 +01:00
|
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
2020-10-16 16:27:04 -07:00
|
|
|
"gotest.tools/assert"
|
|
|
|
|
v1 "k8s.io/api/core/v1"
|
|
|
|
|
)
|
|
|
|
|
|
2021-09-02 02:24:04 +05:30
|
|
|
var rawPolicy = []byte(`
|
|
|
|
|
{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "pod-requirements",
|
|
|
|
|
"annotations": {
|
|
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "none"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"background": false,
|
|
|
|
|
"validationFailureAction": "audit",
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "pods-require-account",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"message": "User pods must include an account for charging",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"account": "*?"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "pods-require-limits",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"message": "CPU and memory resource requests and limits are required for user pods",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"resources": {
|
|
|
|
|
"requests": {
|
|
|
|
|
"memory": "?*",
|
|
|
|
|
"cpu": "?*"
|
|
|
|
|
},
|
|
|
|
|
"limits": {
|
|
|
|
|
"memory": "?*",
|
|
|
|
|
"cpu": "?*"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
`)
|
|
|
|
|
|
|
|
|
|
func Test_buildPolicyReports(t *testing.T) {
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
2023-04-05 12:35:38 +02:00
|
|
|
er := engineapi.EngineResponse{}
|
2023-05-03 07:05:01 +02:00
|
|
|
er = er.WithPolicy(&policy)
|
2023-04-06 00:55:42 +02:00
|
|
|
er.PolicyResponse.Add(
|
|
|
|
|
engineapi.ExecutionStats{},
|
|
|
|
|
*engineapi.RuleFail(
|
|
|
|
|
"pods-require-account",
|
|
|
|
|
engineapi.Validation,
|
|
|
|
|
"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/",
|
|
|
|
|
),
|
|
|
|
|
*engineapi.RulePass(
|
|
|
|
|
"pods-require-limits",
|
|
|
|
|
engineapi.Validation,
|
|
|
|
|
"validation rule 'pods-require-limits' passed.",
|
|
|
|
|
),
|
2023-04-05 12:35:38 +02:00
|
|
|
)
|
2021-09-02 02:24:04 +05:30
|
|
|
|
2023-04-12 14:51:03 +02:00
|
|
|
reports := buildPolicyReports(false, er)
|
2021-09-02 02:24:04 +05:30
|
|
|
assert.Assert(t, len(reports) == 1, len(reports))
|
|
|
|
|
|
|
|
|
|
for _, report := range reports {
|
|
|
|
|
if report.GetNamespace() == "" {
|
|
|
|
|
assert.Assert(t, report.GetName() == clusterpolicyreport)
|
|
|
|
|
assert.Assert(t, report.GetKind() == "ClusterPolicyReport")
|
|
|
|
|
assert.Assert(t, len(report.UnstructuredContent()["results"].([]interface{})) == 2)
|
|
|
|
|
assert.Assert(t,
|
|
|
|
|
report.UnstructuredContent()["summary"].(map[string]interface{})[preport.StatusPass].(int64) == 1,
|
|
|
|
|
report.UnstructuredContent()["summary"].(map[string]interface{})[preport.StatusPass].(int64))
|
|
|
|
|
} else {
|
|
|
|
|
assert.Assert(t, report.GetName() == "policyreport-ns-default")
|
|
|
|
|
assert.Assert(t, report.GetKind() == "PolicyReport")
|
|
|
|
|
assert.Assert(t, len(report.UnstructuredContent()["results"].([]interface{})) == 2)
|
2021-09-26 21:15:13 -07:00
|
|
|
|
|
|
|
|
summary := report.UnstructuredContent()["summary"].(map[string]interface{})
|
|
|
|
|
assert.Assert(t, summary[preport.StatusPass].(int64) == 1, summary[preport.StatusPass].(int64))
|
2021-09-02 02:24:04 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_buildPolicyResults(t *testing.T) {
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
2023-04-05 12:35:38 +02:00
|
|
|
er := engineapi.EngineResponse{}
|
2023-05-03 07:05:01 +02:00
|
|
|
er = er.WithPolicy(&policy)
|
2023-04-06 00:55:42 +02:00
|
|
|
er.PolicyResponse.Add(
|
|
|
|
|
engineapi.ExecutionStats{}, *engineapi.RuleFail(
|
|
|
|
|
"pods-require-account",
|
|
|
|
|
engineapi.Validation,
|
|
|
|
|
"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/",
|
|
|
|
|
),
|
|
|
|
|
*engineapi.RulePass(
|
|
|
|
|
"pods-require-limits",
|
|
|
|
|
engineapi.Validation,
|
|
|
|
|
"validation rule 'pods-require-limits' passed.",
|
|
|
|
|
),
|
2023-04-05 12:35:38 +02:00
|
|
|
)
|
2021-09-02 02:24:04 +05:30
|
|
|
|
2023-04-12 14:51:03 +02:00
|
|
|
results := buildPolicyResults(false, er)
|
2021-09-02 02:43:07 +05:30
|
|
|
|
|
|
|
|
for _, result := range results {
|
|
|
|
|
assert.Assert(t, len(result) == 2, len(result))
|
|
|
|
|
for _, r := range result {
|
|
|
|
|
switch r.Rule {
|
|
|
|
|
case "pods-require-limits":
|
2021-10-29 18:13:20 +02:00
|
|
|
assert.Assert(t, r.Result == preport.StatusPass)
|
2021-09-02 02:43:07 +05:30
|
|
|
case "pods-require-account":
|
2021-10-29 18:13:20 +02:00
|
|
|
assert.Assert(t, r.Result == preport.StatusFail)
|
2021-09-02 02:43:07 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-09-02 02:24:04 +05:30
|
|
|
}
|
2020-10-16 16:27:04 -07:00
|
|
|
|
|
|
|
|
func Test_calculateSummary(t *testing.T) {
|
2022-04-28 11:11:14 +02:00
|
|
|
results := []preport.PolicyReportResult{
|
2020-10-16 16:27:04 -07:00
|
|
|
{
|
2022-04-28 11:11:14 +02:00
|
|
|
Resources: make([]v1.ObjectReference, 5),
|
2021-10-29 18:13:20 +02:00
|
|
|
Result: preport.PolicyResult(preport.StatusPass),
|
2020-10-16 16:27:04 -07:00
|
|
|
},
|
2021-10-29 18:13:20 +02:00
|
|
|
{Result: preport.PolicyResult(preport.StatusFail)},
|
|
|
|
|
{Result: preport.PolicyResult(preport.StatusFail)},
|
|
|
|
|
{Result: preport.PolicyResult(preport.StatusFail)},
|
2020-10-16 16:27:04 -07:00
|
|
|
{
|
2022-04-28 11:11:14 +02:00
|
|
|
Resources: make([]v1.ObjectReference, 1),
|
2021-10-29 18:13:20 +02:00
|
|
|
Result: preport.PolicyResult(preport.StatusPass)},
|
2020-10-16 16:27:04 -07:00
|
|
|
{
|
2022-04-28 11:11:14 +02:00
|
|
|
Resources: make([]v1.ObjectReference, 4),
|
2021-10-29 18:13:20 +02:00
|
|
|
Result: preport.PolicyResult(preport.StatusPass),
|
2020-10-16 16:27:04 -07:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
summary := calculateSummary(results)
|
2020-11-04 15:22:12 +05:30
|
|
|
assert.Assert(t, summary.Pass == 3)
|
2020-10-16 16:27:04 -07:00
|
|
|
assert.Assert(t, summary.Fail == 3)
|
|
|
|
|
}
|
