2019-06-07 14:46:18 +03:00
|
|
|
package engine
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"testing"
|
|
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
|
2019-06-07 14:46:18 +03:00
|
|
|
"gotest.tools/assert"
|
2019-08-21 12:03:53 -07:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2019-06-07 14:46:18 +03:00
|
|
|
)
|
|
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
// Match multiple kinds
|
|
|
|
|
func TestResourceDescriptionMatch_MultipleKind(t *testing.T) {
|
|
|
|
|
rawResource := []byte(`{
|
|
|
|
|
"apiVersion": "apps/v1",
|
|
|
|
|
"kind": "Deployment",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "nginx-deployment",
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"replicas": 3,
|
|
|
|
|
"selector": {
|
|
|
|
|
"matchLabels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"template": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "nginx",
|
|
|
|
|
"image": "nginx:1.7.9",
|
|
|
|
|
"ports": [
|
|
|
|
|
{
|
|
|
|
|
"containerPort": 80
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
|
|
|
Kinds: []string{"Deployment", "Pods"},
|
2019-06-07 14:46:18 +03:00
|
|
|
Selector: &metav1.LabelSelector{
|
|
|
|
|
MatchLabels: nil,
|
|
|
|
|
MatchExpressions: nil,
|
|
|
|
|
},
|
|
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{resourceDescription}}
|
|
|
|
|
|
|
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
|
|
|
|
}
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
// Match resource name
|
|
|
|
|
func TestResourceDescriptionMatch_Name(t *testing.T) {
|
2019-06-07 14:46:18 +03:00
|
|
|
rawResource := []byte(`{
|
2019-08-21 12:03:53 -07:00
|
|
|
"apiVersion": "apps/v1",
|
|
|
|
|
"kind": "Deployment",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "nginx-deployment",
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"replicas": 3,
|
|
|
|
|
"selector": {
|
|
|
|
|
"matchLabels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"template": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "nginx",
|
|
|
|
|
"image": "nginx:1.7.9",
|
|
|
|
|
"ports": [
|
|
|
|
|
{
|
|
|
|
|
"containerPort": 80
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-06-07 14:46:18 +03:00
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
}`)
|
|
|
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
}
|
|
|
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
|
|
|
Kinds: []string{"Deployment"},
|
|
|
|
|
Name: "nginx-deployment",
|
2019-06-07 14:46:18 +03:00
|
|
|
Selector: &metav1.LabelSelector{
|
|
|
|
|
MatchLabels: nil,
|
|
|
|
|
MatchExpressions: nil,
|
|
|
|
|
},
|
|
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{resourceDescription}}
|
2019-07-26 07:28:34 -04:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
|
|
|
|
}
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
// Match resource regex
|
|
|
|
|
func TestResourceDescriptionMatch_Name_Regex(t *testing.T) {
|
2019-06-07 14:46:18 +03:00
|
|
|
rawResource := []byte(`{
|
2019-08-21 12:03:53 -07:00
|
|
|
"apiVersion": "apps/v1",
|
|
|
|
|
"kind": "Deployment",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "nginx-deployment",
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"replicas": 3,
|
|
|
|
|
"selector": {
|
|
|
|
|
"matchLabels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"template": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "nginx",
|
|
|
|
|
"image": "nginx:1.7.9",
|
|
|
|
|
"ports": [
|
|
|
|
|
{
|
|
|
|
|
"containerPort": 80
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-06-07 14:46:18 +03:00
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
}`)
|
|
|
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
}
|
|
|
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
|
|
|
Kinds: []string{"Deployment"},
|
|
|
|
|
Name: "nginx-*",
|
|
|
|
|
Selector: &metav1.LabelSelector{
|
|
|
|
|
MatchLabels: nil,
|
|
|
|
|
MatchExpressions: nil,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{resourceDescription}}
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
|
|
|
|
}
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
// Match expressions for labels to not match
|
|
|
|
|
func TestResourceDescriptionMatch_Label_Expression_NotMatch(t *testing.T) {
|
|
|
|
|
rawResource := []byte(`{
|
|
|
|
|
"apiVersion": "apps/v1",
|
|
|
|
|
"kind": "Deployment",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "nginx-deployment",
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"replicas": 3,
|
|
|
|
|
"selector": {
|
|
|
|
|
"matchLabels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"template": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "nginx",
|
|
|
|
|
"image": "nginx:1.7.9",
|
|
|
|
|
"ports": [
|
|
|
|
|
{
|
|
|
|
|
"containerPort": 80
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-06-07 14:46:18 +03:00
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
}`)
|
|
|
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
}
|
|
|
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
|
|
|
Kinds: []string{"Deployment"},
|
|
|
|
|
Name: "nginx-*",
|
2019-06-07 14:46:18 +03:00
|
|
|
Selector: &metav1.LabelSelector{
|
|
|
|
|
MatchLabels: nil,
|
|
|
|
|
MatchExpressions: []metav1.LabelSelectorRequirement{
|
|
|
|
|
metav1.LabelSelectorRequirement{
|
|
|
|
|
Key: "label2",
|
|
|
|
|
Operator: "NotIn",
|
|
|
|
|
Values: []string{
|
|
|
|
|
"sometest1",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{resourceDescription}}
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
2019-06-07 14:46:18 +03:00
|
|
|
}
|
|
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
// Match label expression in matching set
|
|
|
|
|
func TestResourceDescriptionMatch_Label_Expression_Match(t *testing.T) {
|
2019-06-07 14:46:18 +03:00
|
|
|
rawResource := []byte(`{
|
2019-08-21 12:03:53 -07:00
|
|
|
"apiVersion": "apps/v1",
|
|
|
|
|
"kind": "Deployment",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "nginx-deployment",
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"replicas": 3,
|
|
|
|
|
"selector": {
|
|
|
|
|
"matchLabels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"template": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "nginx",
|
|
|
|
|
"image": "nginx:1.7.9",
|
|
|
|
|
"ports": [
|
|
|
|
|
{
|
|
|
|
|
"containerPort": 80
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-06-07 14:46:18 +03:00
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
}`)
|
|
|
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
2019-06-07 14:46:18 +03:00
|
|
|
|
|
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
|
|
|
Kinds: []string{"Deployment"},
|
|
|
|
|
Name: "nginx-*",
|
2019-06-07 14:46:18 +03:00
|
|
|
Selector: &metav1.LabelSelector{
|
2019-08-21 12:03:53 -07:00
|
|
|
MatchLabels: nil,
|
2019-06-07 14:46:18 +03:00
|
|
|
MatchExpressions: []metav1.LabelSelectorRequirement{
|
|
|
|
|
metav1.LabelSelectorRequirement{
|
2019-08-21 12:03:53 -07:00
|
|
|
Key: "app",
|
|
|
|
|
Operator: "NotIn",
|
2019-06-07 14:46:18 +03:00
|
|
|
Values: []string{
|
2019-08-21 12:03:53 -07:00
|
|
|
"nginx1",
|
|
|
|
|
"nginx2",
|
2019-06-07 14:46:18 +03:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{resourceDescription}}
|
|
|
|
|
|
|
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
|
|
|
|
}
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
// check for exclude conditions
|
|
|
|
|
func TestResourceDescriptionExclude_Label_Expression_Match(t *testing.T) {
|
2019-06-07 14:46:18 +03:00
|
|
|
rawResource := []byte(`{
|
2019-08-21 12:03:53 -07:00
|
|
|
"apiVersion": "apps/v1",
|
|
|
|
|
"kind": "Deployment",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "nginx-deployment",
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx",
|
|
|
|
|
"block": "true"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"replicas": 3,
|
|
|
|
|
"selector": {
|
|
|
|
|
"matchLabels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"template": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"labels": {
|
|
|
|
|
"app": "nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "nginx",
|
|
|
|
|
"image": "nginx:1.7.9",
|
|
|
|
|
"ports": [
|
|
|
|
|
{
|
|
|
|
|
"containerPort": 80
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-06-07 14:46:18 +03:00
|
|
|
}
|
2019-08-21 12:03:53 -07:00
|
|
|
}`)
|
|
|
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
}
|
|
|
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
|
|
|
Kinds: []string{"Deployment"},
|
|
|
|
|
Name: "nginx-*",
|
2019-06-07 14:46:18 +03:00
|
|
|
Selector: &metav1.LabelSelector{
|
2019-08-21 12:03:53 -07:00
|
|
|
MatchLabels: nil,
|
2019-06-07 14:46:18 +03:00
|
|
|
MatchExpressions: []metav1.LabelSelectorRequirement{
|
|
|
|
|
metav1.LabelSelectorRequirement{
|
2019-08-21 12:03:53 -07:00
|
|
|
Key: "app",
|
2019-06-07 14:46:18 +03:00
|
|
|
Operator: "NotIn",
|
|
|
|
|
Values: []string{
|
2019-08-21 12:03:53 -07:00
|
|
|
"nginx1",
|
|
|
|
|
"nginx2",
|
2019-06-07 14:46:18 +03:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
resourceDescriptionExclude := kyverno.ResourceDescription{
|
2019-06-07 14:46:18 +03:00
|
|
|
Selector: &metav1.LabelSelector{
|
|
|
|
|
MatchLabels: map[string]string{
|
2019-08-21 12:03:53 -07:00
|
|
|
"block": "true",
|
2019-06-07 14:46:18 +03:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{resourceDescription},
|
|
|
|
|
ExcludeResources: kyverno.ExcludeResources{resourceDescriptionExclude}}
|
2019-06-07 14:46:18 +03:00
|
|
|
|
2019-08-21 12:03:53 -07:00
|
|
|
assert.Assert(t, !MatchesResourceDescription(*resource, rule))
|
2019-06-07 14:46:18 +03:00
|
|
|
}
|
2019-06-13 17:20:00 +03:00
|
|
|
|
|
|
|
|
func TestWrappedWithParentheses_StringIsWrappedWithParentheses(t *testing.T) {
|
|
|
|
|
str := "(something)"
|
|
|
|
|
assert.Assert(t, isConditionAnchor(str))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestWrappedWithParentheses_StringHasOnlyParentheses(t *testing.T) {
|
|
|
|
|
str := "()"
|
|
|
|
|
assert.Assert(t, isConditionAnchor(str))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestWrappedWithParentheses_StringHasNoParentheses(t *testing.T) {
|
|
|
|
|
str := "something"
|
|
|
|
|
assert.Assert(t, !isConditionAnchor(str))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestWrappedWithParentheses_StringHasLeftParentheses(t *testing.T) {
|
|
|
|
|
str := "(something"
|
|
|
|
|
assert.Assert(t, !isConditionAnchor(str))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestWrappedWithParentheses_StringHasRightParentheses(t *testing.T) {
|
|
|
|
|
str := "something)"
|
|
|
|
|
assert.Assert(t, !isConditionAnchor(str))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestWrappedWithParentheses_StringParenthesesInside(t *testing.T) {
|
|
|
|
|
str := "so)m(et(hin)g"
|
|
|
|
|
assert.Assert(t, !isConditionAnchor(str))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestWrappedWithParentheses_Empty(t *testing.T) {
|
|
|
|
|
str := ""
|
|
|
|
|
assert.Assert(t, !isConditionAnchor(str))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestIsExistanceAnchor_Yes(t *testing.T) {
|
|
|
|
|
assert.Assert(t, isExistanceAnchor("^(abc)"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestIsExistanceAnchor_NoRightBracket(t *testing.T) {
|
|
|
|
|
assert.Assert(t, !isExistanceAnchor("^(abc"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestIsExistanceAnchor_OnlyHat(t *testing.T) {
|
|
|
|
|
assert.Assert(t, !isExistanceAnchor("^abc"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestIsExistanceAnchor_ConditionAnchor(t *testing.T) {
|
|
|
|
|
assert.Assert(t, !isExistanceAnchor("(abc)"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestRemoveAnchor_ConditionAnchor(t *testing.T) {
|
|
|
|
|
assert.Equal(t, removeAnchor("(abc)"), "abc")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestRemoveAnchor_ExistanceAnchor(t *testing.T) {
|
|
|
|
|
assert.Equal(t, removeAnchor("^(abc)"), "abc")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestRemoveAnchor_EmptyExistanceAnchor(t *testing.T) {
|
|
|
|
|
assert.Equal(t, removeAnchor("^()"), "")
|
|
|
|
|
}
|
