2019-10-18 17:45:24 -07:00
package policy
2019-10-01 11:50:10 -07:00
import (
"encoding/json"
"testing"
2019-11-13 13:41:08 -08:00
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
2019-10-01 11:50:10 -07:00
"gotest.tools/assert"
)
func Test_Validate_UniqueRuleName ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"spec" : {
"validationFailureAction" : "audit" ,
"rules" : [
{
"name" : "deny-privileged-disallowpriviligedescalation" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : { }
} ,
{
"name" : "deny-privileged-disallowpriviligedescalation" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : { }
}
]
}
}
` )
2019-10-18 17:45:24 -07:00
var policy * kyverno . ClusterPolicy
2019-10-01 11:50:10 -07:00
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
_ , err = validateUniqueRuleName ( * policy )
2019-10-01 11:50:10 -07:00
assert . Assert ( t , err != nil )
}
func Test_Validate_RuleType_EmptyRule ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"spec" : {
"rules" : [
{
"name" : "validate-user-privilege" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
] ,
"selector" : {
"matchLabels" : {
"app.type" : "prod"
}
}
}
} ,
"mutate" : { } ,
"validate" : { }
}
]
}
}
` )
2019-10-18 17:45:24 -07:00
var policy * kyverno . ClusterPolicy
2019-10-01 11:50:10 -07:00
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
for _ , rule := range policy . Spec . Rules {
2019-10-18 17:45:24 -07:00
err := validateRuleType ( rule )
2019-10-01 11:50:10 -07:00
assert . Assert ( t , err != nil )
}
}
func Test_Validate_RuleType_MultipleRule ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"spec" : {
"rules" : [
{
"name" : "validate-user-privilege" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
] ,
"selector" : {
"matchLabels" : {
"app.type" : "prod"
}
}
}
} ,
"mutate" : {
"overlay" : {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"(name)" : "*" ,
"resources" : {
"limits" : {
"+(memory)" : "300Mi" ,
"+(cpu)" : "100"
}
}
}
]
}
}
}
}
} ,
"validate" : {
"message" : "validate container security contexts" ,
"anyPattern" : [
{
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"securityContext" : {
"runAsNonRoot" : true
}
}
]
}
}
}
}
]
}
}
]
}
} ` )
2019-10-18 17:45:24 -07:00
var policy * kyverno . ClusterPolicy
2019-10-01 11:50:10 -07:00
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
for _ , rule := range policy . Spec . Rules {
2019-10-18 17:45:24 -07:00
err := validateRuleType ( rule )
2019-10-01 11:50:10 -07:00
assert . Assert ( t , err != nil )
}
}
func Test_Validate_RuleType_SingleRule ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"spec" : {
"rules" : [
{
"name" : "validate-user-privilege" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
] ,
"selector" : {
"matchLabels" : {
"app.type" : "prod"
}
}
}
} ,
"validate" : {
"message" : "validate container security contexts" ,
"anyPattern" : [
{
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"securityContext" : {
"runAsNonRoot" : "true"
}
}
]
}
}
}
}
]
}
}
]
}
}
` )
2019-10-18 17:45:24 -07:00
var policy * kyverno . ClusterPolicy
2019-10-01 11:50:10 -07:00
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
for _ , rule := range policy . Spec . Rules {
2019-10-18 17:45:24 -07:00
err := validateRuleType ( rule )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
}
}
func Test_Validate_ResourceDescription_Empty ( t * testing . T ) {
2019-10-21 14:22:31 -07:00
var err error
2019-10-01 11:50:10 -07:00
rawResourcedescirption := [ ] byte ( ` { } ` )
2019-10-18 17:45:24 -07:00
var rd kyverno . ResourceDescription
2019-10-21 14:22:31 -07:00
err = json . Unmarshal ( rawResourcedescirption , & rd )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
_ , err = validateMatchedResourceDescription ( rd )
assert . Assert ( t , err != nil )
2019-10-01 11:50:10 -07:00
}
2019-10-21 14:22:31 -07:00
func Test_Validate_ResourceDescription_MatchedValid ( t * testing . T ) {
rawResourcedescirption := [ ] byte ( `
2019-10-01 11:50:10 -07:00
{
2019-10-21 14:22:31 -07:00
"kinds" : [
"Deployment"
] ,
2019-10-01 11:50:10 -07:00
"selector" : {
"matchLabels" : {
"app.type" : "prod"
}
}
} ` )
2019-10-18 17:45:24 -07:00
var rd kyverno . ResourceDescription
2019-10-21 14:22:31 -07:00
err := json . Unmarshal ( rawResourcedescirption , & rd )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
_ , err = validateMatchedResourceDescription ( rd )
assert . NilError ( t , err )
2019-10-01 11:50:10 -07:00
}
2019-10-01 15:01:24 -07:00
2019-10-21 14:22:31 -07:00
func Test_Validate_ResourceDescription_MissingKindsOnExclude ( t * testing . T ) {
var err error
excludeResourcedescirption := [ ] byte ( `
2019-10-01 11:50:10 -07:00
{
"selector" : {
2019-10-21 14:22:31 -07:00
"matchLabels" : {
"app.type" : "prod"
}
2019-10-01 11:50:10 -07:00
}
} ` )
2019-10-18 17:45:24 -07:00
var rd kyverno . ResourceDescription
2019-10-21 14:22:31 -07:00
err = json . Unmarshal ( excludeResourcedescirption , & rd )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
_ , err = validateExcludeResourceDescription ( rd )
assert . NilError ( t , err )
2019-10-01 11:50:10 -07:00
}
2019-10-21 14:22:31 -07:00
func Test_Validate_ResourceDescription_InvalidSelector ( t * testing . T ) {
2019-10-01 11:50:10 -07:00
rawResourcedescirption := [ ] byte ( `
{
"kinds" : [
"Deployment"
] ,
"selector" : {
2019-10-21 14:22:31 -07:00
"app.type" : "prod"
2019-10-01 11:50:10 -07:00
}
} ` )
2019-10-18 17:45:24 -07:00
var rd kyverno . ResourceDescription
2019-10-01 11:50:10 -07:00
err := json . Unmarshal ( rawResourcedescirption , & rd )
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
err = validateResourceDescription ( rd )
assert . Assert ( t , err != nil )
2019-10-01 11:50:10 -07:00
}
func Test_Validate_OverlayPattern_Empty ( t * testing . T ) {
2019-10-21 14:22:31 -07:00
rawValidation := [ ] byte ( `
{ } ` )
var validation kyverno . Validation
err := json . Unmarshal ( rawValidation , & validation )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateValidation ( validation ) ; err != nil {
assert . Assert ( t , err != nil )
2019-10-01 11:50:10 -07:00
}
}
func Test_Validate_OverlayPattern_Nil_PatternAnypattern ( t * testing . T ) {
2019-10-21 14:22:31 -07:00
rawValidation := [ ] byte ( `
{ "message" : "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
2019-10-01 11:50:10 -07:00
}
` )
2019-10-21 14:22:31 -07:00
var validation kyverno . Validation
err := json . Unmarshal ( rawValidation , & validation )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateValidation ( validation ) ; err != nil {
assert . Assert ( t , err != nil )
2019-10-01 11:50:10 -07:00
}
}
func Test_Validate_OverlayPattern_Exist_PatternAnypattern ( t * testing . T ) {
2019-10-21 14:22:31 -07:00
rawValidation := [ ] byte ( `
{
"message" : "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false" ,
"anyPattern" : [
{
"spec" : {
"securityContext" : {
"allowPrivilegeEscalation" : false ,
"privileged" : false
}
}
}
] ,
"pattern" : {
"spec" : {
"containers" : [
{
"name" : "*" ,
"securityContext" : {
"allowPrivilegeEscalation" : false ,
"privileged" : false
}
}
]
}
}
} ` )
2019-10-01 11:50:10 -07:00
2019-10-21 14:22:31 -07:00
var validation kyverno . Validation
err := json . Unmarshal ( rawValidation , & validation )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateValidation ( validation ) ; err != nil {
assert . Assert ( t , err != nil )
2019-10-01 11:50:10 -07:00
}
}
func Test_Validate_OverlayPattern_Valid ( t * testing . T ) {
2019-10-21 14:22:31 -07:00
rawValidation := [ ] byte ( `
{
"message" : "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false" ,
"anyPattern" : [
{
"spec" : {
"securityContext" : {
"allowPrivilegeEscalation" : false ,
"privileged" : false
}
}
} ,
{
"spec" : {
"containers" : [
{
"name" : "*" ,
"securityContext" : {
"allowPrivilegeEscalation" : false ,
"privileged" : false
}
}
]
}
}
]
}
` )
2019-10-01 11:50:10 -07:00
2019-10-21 14:22:31 -07:00
var validation kyverno . Validation
err := json . Unmarshal ( rawValidation , & validation )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateValidation ( validation ) ; err != nil {
assert . NilError ( t , err )
2019-10-01 11:50:10 -07:00
}
2019-10-21 14:22:31 -07:00
2019-10-01 11:50:10 -07:00
}
func Test_Validate_ExistingAnchor_AnchorOnMap ( t * testing . T ) {
2019-10-21 14:22:31 -07:00
rawValidation := [ ] byte ( `
2019-10-01 11:50:10 -07:00
{
2019-10-21 14:22:31 -07:00
"message" : "validate container security contexts" ,
"anyPattern" : [
{
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"^(securityContext)" : {
"runAsNonRoot" : true
}
}
]
}
}
}
}
]
}
` )
var validation kyverno . Validation
err := json . Unmarshal ( rawValidation , & validation )
assert . NilError ( t , err )
if _ , err := validateValidation ( validation ) ; err != nil {
assert . Assert ( t , err != nil )
}
}
func Test_Validate_ExistingAnchor_AnchorOnString ( t * testing . T ) {
rawValidation := [ ] byte ( ` {
"message" : "validate container security contexts" ,
"pattern" : {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"securityContext" : {
"allowPrivilegeEscalation" : "^(false)"
}
}
]
}
}
}
}
}
` )
var validation kyverno . Validation
err := json . Unmarshal ( rawValidation , & validation )
assert . NilError ( t , err )
if _ , err := validateValidation ( validation ) ; err != nil {
assert . Assert ( t , err != nil )
}
}
func Test_Validate_ExistingAnchor_Valid ( t * testing . T ) {
var err error
var validation kyverno . Validation
rawValidation := [ ] byte ( `
{
"message" : "validate container security contexts" ,
"anyPattern" : [
{
"spec" : {
"template" : {
"spec" : {
"^(containers)" : [
{
"securityContext" : {
"runAsNonRoot" : "true"
}
2019-10-01 11:50:10 -07:00
}
2019-10-21 14:22:31 -07:00
]
2019-10-01 11:50:10 -07:00
}
2019-10-21 14:22:31 -07:00
}
}
}
]
} ` )
err = json . Unmarshal ( rawValidation , & validation )
assert . NilError ( t , err )
if _ , err := validateValidation ( validation ) ; err != nil {
assert . Assert ( t , err != nil )
}
rawValidation = [ ] byte ( `
{
"message" : "validate container security contexts" ,
"pattern" : {
"spec" : {
"template" : {
"spec" : {
"^(containers)" : [
2019-10-01 11:50:10 -07:00
{
2019-10-21 14:22:31 -07:00
"securityContext" : {
"allowPrivilegeEscalation" : "false"
2019-10-01 11:50:10 -07:00
}
}
]
}
}
2019-10-21 14:22:31 -07:00
}
2019-10-01 11:50:10 -07:00
}
2019-10-21 14:22:31 -07:00
} ` )
err = json . Unmarshal ( rawValidation , & validation )
assert . NilError ( t , err )
if _ , err := validateValidation ( validation ) ; err != nil {
assert . Assert ( t , err != nil )
}
}
func Test_Validate_Validate_ValidAnchor ( t * testing . T ) {
var err error
var validate kyverno . Validation
var rawValidate [ ] byte
// case 1
rawValidate = [ ] byte ( `
{
"message" : "Root user is not allowed. Set runAsNonRoot to true." ,
"anyPattern" : [
{
"spec" : {
"securityContext" : {
"(runAsNonRoot)" : true
}
}
} ,
{
"spec" : {
"^(containers)" : [
{
"name" : "*" ,
"securityContext" : {
"runAsNonRoot" : true
}
}
]
}
}
]
2019-10-01 11:50:10 -07:00
} ` )
2019-10-21 14:22:31 -07:00
err = json . Unmarshal ( rawValidate , & validate )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateValidation ( validate ) ; err != nil {
assert . NilError ( t , err )
}
// case 2
validate = kyverno . Validation { }
rawValidate = [ ] byte ( `
{
"message" : "Root user is not allowed. Set runAsNonRoot to true." ,
"pattern" : {
"spec" : {
"=(securityContext)" : {
"runAsNonRoot" : "true"
}
}
}
} ` )
err = json . Unmarshal ( rawValidate , & validate )
assert . NilError ( t , err )
if _ , err := validateValidation ( validate ) ; err != nil {
assert . NilError ( t , err )
2019-10-01 11:50:10 -07:00
}
}
2019-10-21 14:22:31 -07:00
func Test_Validate_Validate_Mismatched ( t * testing . T ) {
rawValidate := [ ] byte ( `
2019-10-01 11:50:10 -07:00
{
2019-10-21 14:22:31 -07:00
"message" : "Root user is not allowed. Set runAsNonRoot to true." ,
"pattern" : {
"spec" : {
"containers" : [
{
"name" : "*" ,
"securityContext" : {
"+(runAsNonRoot)" : true
2019-10-01 11:50:10 -07:00
}
}
2019-10-21 14:22:31 -07:00
]
}
2019-10-01 11:50:10 -07:00
}
} ` )
2019-10-21 14:22:31 -07:00
var validate kyverno . Validation
err := json . Unmarshal ( rawValidate , & validate )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateValidation ( validate ) ; err != nil {
assert . Assert ( t , err != nil )
}
}
2019-10-01 11:50:10 -07:00
2019-10-21 14:22:31 -07:00
func Test_Validate_Validate_Unsupported ( t * testing . T ) {
var err error
var validate kyverno . Validation
// case 1
rawValidate := [ ] byte ( `
{
"message" : "Root user is not allowed. Set runAsNonRoot to true." ,
"pattern" : {
"spec" : {
"containers" : [
{
"name" : "*" ,
"securityContext" : {
"!(runAsNonRoot)" : true
}
}
]
}
}
} ` )
err = json . Unmarshal ( rawValidate , & validate )
assert . NilError ( t , err )
if _ , err := validateValidation ( validate ) ; err != nil {
assert . Assert ( t , err != nil )
2019-10-01 11:50:10 -07:00
}
2019-10-21 14:22:31 -07:00
// case 2
rawValidate = [ ] byte ( `
2019-10-01 11:50:10 -07:00
{
2019-10-21 14:22:31 -07:00
"message" : "Root user is not allowed. Set runAsNonRoot to true." ,
"pattern" : {
"spec" : {
"containers" : [
{
"name" : "*" ,
"securityContext" : {
"~(runAsNonRoot)" : true
2019-10-01 11:50:10 -07:00
}
}
2019-10-21 14:22:31 -07:00
]
}
2019-10-01 11:50:10 -07:00
}
2019-10-21 14:22:31 -07:00
} ` )
2019-10-01 11:50:10 -07:00
2019-10-21 14:22:31 -07:00
err = json . Unmarshal ( rawValidate , & validate )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateValidation ( validate ) ; err != nil {
assert . Assert ( t , err != nil )
2019-10-01 11:50:10 -07:00
}
2019-10-21 14:22:31 -07:00
2019-10-01 11:50:10 -07:00
}
func Test_Validate_Policy ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-10-01 11:50:10 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "container-security-context"
} ,
"spec" : {
"rules" : [
{
2019-10-03 14:47:50 -07:00
"name" : "validate-runAsNonRoot" ,
2019-10-01 11:50:10 -07:00
"match" : {
"resources" : {
"kinds" : [
"Deployment"
] ,
"selector" : {
"matchLabels" : {
"app.type" : "prod"
}
}
}
} ,
"validate" : {
"message" : "validate container security contexts" ,
"anyPattern" : [
{
"spec" : {
"template" : {
"spec" : {
"^(containers)" : [
{
"securityContext" : {
2019-10-03 14:47:50 -07:00
"runAsNonRoot" : "true"
2019-10-01 11:50:10 -07:00
}
}
]
}
}
}
}
]
}
2019-10-03 14:47:50 -07:00
} ,
{
"name" : "validate-allowPrivilegeEscalation" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
] ,
"selector" : {
"matchLabels" : {
"app.type" : "prod"
}
}
}
} ,
"validate" : {
"message" : "validate container security contexts" ,
"pattern" : {
"spec" : {
"template" : {
"spec" : {
"^(containers)" : [
{
"securityContext" : {
"allowPrivilegeEscalation" : "false"
}
}
]
}
}
}
}
}
2019-10-01 11:50:10 -07:00
}
]
}
} ` )
2019-10-18 17:45:24 -07:00
var policy kyverno . ClusterPolicy
2019-10-01 11:50:10 -07:00
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-10-18 17:45:24 -07:00
err = Validate ( policy )
2019-10-01 11:50:10 -07:00
assert . NilError ( t , err )
}
2019-10-03 12:52:58 -07:00
func Test_Validate_Mutate_ConditionAnchor ( t * testing . T ) {
rawMutate := [ ] byte ( `
{
"overlay" : {
2019-10-21 14:22:31 -07:00
"spec" : {
"(serviceAccountName)" : "*" ,
"automountServiceAccountToken" : false
}
2019-10-03 12:52:58 -07:00
}
2019-10-21 14:22:31 -07:00
} ` )
2019-10-03 12:52:58 -07:00
2019-10-18 17:45:24 -07:00
var mutate kyverno . Mutation
2019-10-03 12:52:58 -07:00
err := json . Unmarshal ( rawMutate , & mutate )
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateMutation ( mutate ) ; err != nil {
assert . NilError ( t , err )
}
2019-10-03 12:52:58 -07:00
}
func Test_Validate_Mutate_PlusAnchor ( t * testing . T ) {
rawMutate := [ ] byte ( `
{
"overlay" : {
"spec" : {
"+(serviceAccountName)" : "*" ,
"automountServiceAccountToken" : false
}
}
} ` )
2019-10-18 17:45:24 -07:00
var mutate kyverno . Mutation
2019-10-03 12:52:58 -07:00
err := json . Unmarshal ( rawMutate , & mutate )
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateMutation ( mutate ) ; err != nil {
assert . NilError ( t , err )
}
2019-10-03 12:52:58 -07:00
}
func Test_Validate_Mutate_Mismatched ( t * testing . T ) {
rawMutate := [ ] byte ( `
{
"overlay" : {
"spec" : {
"^(serviceAccountName)" : "*" ,
"automountServiceAccountToken" : false
}
}
} ` )
2019-10-18 18:17:11 -07:00
var mutateExistence kyverno . Mutation
err := json . Unmarshal ( rawMutate , & mutateExistence )
2019-10-03 12:52:58 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateMutation ( mutateExistence ) ; err != nil {
assert . Assert ( t , err != nil )
}
2019-10-03 12:52:58 -07:00
2019-10-18 18:17:11 -07:00
var mutateEqual kyverno . Mutation
2019-10-03 12:52:58 -07:00
rawMutate = [ ] byte ( `
{
"overlay" : {
"spec" : {
"=(serviceAccountName)" : "*" ,
"automountServiceAccountToken" : false
}
}
} ` )
2019-10-18 18:17:11 -07:00
err = json . Unmarshal ( rawMutate , & mutateEqual )
2019-10-03 12:52:58 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateMutation ( mutateEqual ) ; err != nil {
assert . Assert ( t , err != nil )
}
2019-10-18 18:17:11 -07:00
var mutateNegation kyverno . Mutation
rawMutate = [ ] byte ( `
{
"overlay" : {
"spec" : {
"X(serviceAccountName)" : "*" ,
"automountServiceAccountToken" : false
}
}
} ` )
err = json . Unmarshal ( rawMutate , & mutateNegation )
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateMutation ( mutateEqual ) ; err != nil {
assert . Assert ( t , err != nil )
}
2019-10-03 12:52:58 -07:00
}
func Test_Validate_Mutate_Unsupported ( t * testing . T ) {
2019-10-21 14:22:31 -07:00
var err error
var mutate kyverno . Mutation
2019-10-03 12:52:58 -07:00
// case 1
rawMutate := [ ] byte ( `
{
"overlay" : {
"spec" : {
"!(serviceAccountName)" : "*" ,
"automountServiceAccountToken" : false
}
}
} ` )
2019-10-21 14:22:31 -07:00
err = json . Unmarshal ( rawMutate , & mutate )
2019-10-03 12:52:58 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateMutation ( mutate ) ; err != nil {
assert . Assert ( t , err != nil )
}
2019-10-03 12:52:58 -07:00
// case 2
rawMutate = [ ] byte ( `
{
"overlay" : {
"spec" : {
"~(serviceAccountName)" : "*" ,
"automountServiceAccountToken" : false
}
}
} ` )
err = json . Unmarshal ( rawMutate , & mutate )
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateMutation ( mutate ) ; err != nil {
assert . Assert ( t , err != nil )
}
2019-10-03 12:52:58 -07:00
}
2019-10-03 14:47:50 -07:00
func Test_Validate_Generate ( t * testing . T ) {
rawGenerate := [ ] byte ( `
{
"kind" : "NetworkPolicy" ,
"name" : "defaultnetworkpolicy" ,
"data" : {
"spec" : {
"podSelector" : { } ,
"policyTypes" : [
"Ingress" ,
"Egress"
] ,
"ingress" : [
{ }
] ,
"egress" : [
{ }
]
}
}
} ` )
2019-10-18 17:45:24 -07:00
var generate kyverno . Generation
2019-10-03 14:47:50 -07:00
err := json . Unmarshal ( rawGenerate , & generate )
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateGeneration ( generate ) ; err != nil {
assert . Assert ( t , err != nil )
}
2019-10-03 14:47:50 -07:00
}
func Test_Validate_Generate_HasAnchors ( t * testing . T ) {
2019-10-21 14:22:31 -07:00
var err error
var generate kyverno . Generation
2019-10-03 14:47:50 -07:00
rawGenerate := [ ] byte ( `
{
"kind" : "NetworkPolicy" ,
"name" : "defaultnetworkpolicy" ,
"data" : {
"spec" : {
"(podSelector)" : { } ,
"policyTypes" : [
"Ingress" ,
"Egress"
] ,
"ingress" : [
{ }
] ,
"egress" : [
{ }
]
}
}
} ` )
2019-10-21 14:22:31 -07:00
err = json . Unmarshal ( rawGenerate , & generate )
2019-10-03 14:47:50 -07:00
assert . NilError ( t , err )
2019-10-21 14:22:31 -07:00
if _ , err := validateGeneration ( generate ) ; err != nil {
assert . Assert ( t , err != nil )
}
2019-10-03 14:47:50 -07:00
2019-10-21 14:22:31 -07:00
rawGenerate = [ ] byte ( `
2019-10-03 14:47:50 -07:00
{
"kind" : "ConfigMap" ,
"name" : "copied-cm" ,
"clone" : {
"^(namespace)" : "default" ,
"name" : "game"
}
} ` )
2019-10-21 14:22:31 -07:00
errNew := json . Unmarshal ( rawGenerate , & generate )
2019-10-03 16:49:41 -07:00
assert . NilError ( t , errNew )
2019-10-21 14:22:31 -07:00
err = json . Unmarshal ( rawGenerate , & generate )
assert . NilError ( t , err )
if _ , err := validateGeneration ( generate ) ; err != nil {
assert . Assert ( t , err != nil )
}
2019-10-03 16:49:41 -07:00
}
func Test_Validate_ErrorFormat ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-10-03 16:49:41 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "test-error-format"
} ,
"spec" : {
"rules" : [
{
"name" : "image-pull-policy" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
] ,
"selector" : {
"matchLabels" : {
"app" : "nginxlatest"
}
}
}
} ,
"exclude" : {
"resources" : {
"selector" : {
"app" : "nginxlatest"
}
}
} ,
"mutate" : {
"overlay" : {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"=(image)" : "*latest" ,
"imagePullPolicy" : "IfNotPresent"
}
]
}
}
}
}
}
} ,
{
"name" : "validate-user-privilege" ,
"match" : {
"resources" : {
"kinds" : [ ] ,
"selector" : {
"matchLabels" : {
"app.type" : "prod"
}
}
}
} ,
"validate" : {
"message" : "validate container security contexts" ,
"anyPattern" : [
{
"spec" : {
"template" : {
"spec" : {
"^(containers)" : [
{
"securityContext" : {
"runAsNonRoot" : "true"
}
}
]
}
}
}
}
]
}
} ,
{
"name" : "validate-user-privilege" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
] ,
"selector" : {
"matchLabels" : {
"app.type" : "prod"
}
}
}
} ,
"validate" : {
"message" : "validate container security contexts" ,
"pattern" : {
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"^(securityContext)" : {
"allowPrivilegeEscalation" : "false"
}
}
]
}
}
}
}
}
} ,
{
"name" : "default-networkpolicy" ,
"match" : {
"resources" : {
"kinds" : [
"Namespace"
] ,
"name" : "devtest"
}
} ,
"generate" : {
"kind" : "ConfigMap" ,
"name" : "copied-cm" ,
"clone" : {
"^(namespace)" : "default" ,
"name" : "game-config"
}
}
}
]
}
}
` )
2019-10-18 17:45:24 -07:00
var policy kyverno . ClusterPolicy
2019-10-03 16:49:41 -07:00
err := json . Unmarshal ( rawPolicy , & policy )
2019-10-03 14:47:50 -07:00
assert . NilError ( t , err )
2019-10-18 17:45:24 -07:00
err = Validate ( policy )
2019-10-21 14:22:31 -07:00
assert . Assert ( t , err != nil )
2019-10-03 14:47:50 -07:00
}
2019-12-05 11:55:00 -08:00
func Test_Validate_EmptyUserInfo ( t * testing . T ) {
rawRule := [ ] byte ( `
{
"name" : "test" ,
"match" : {
"subjects" : null
}
} ` )
var rule kyverno . Rule
err := json . Unmarshal ( rawRule , & rule )
assert . NilError ( t , err )
_ , errNew := validateUserInfo ( rule )
assert . NilError ( t , errNew )
}
func Test_Validate_Roles ( t * testing . T ) {
rawRule := [ ] byte ( ` {
"name" : "test" ,
"match" : {
"roles" : [
"namespace1:name1" ,
"name2"
]
}
} ` )
var rule kyverno . Rule
err := json . Unmarshal ( rawRule , & rule )
assert . NilError ( t , err )
path , err := validateUserInfo ( rule )
assert . Assert ( t , err != nil )
assert . Assert ( t , path == "match.roles" )
}
func Test_Validate_ServiceAccount ( t * testing . T ) {
rawRule := [ ] byte ( `
{
"name" : "test" ,
"exclude" : {
"subjects" : [
{
"kind" : "ServiceAccount" ,
"name" : "testname"
}
]
}
} ` )
var rule kyverno . Rule
err := json . Unmarshal ( rawRule , & rule )
assert . NilError ( t , err )
path , err := validateUserInfo ( rule )
assert . Assert ( t , err != nil )
assert . Assert ( t , path == "exclude.subjects" )
}
2019-12-30 17:08:50 -08:00
func Test_BackGroundUserInfo_match_roles ( t * testing . T ) {
var err error
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "disallow-root-user"
} ,
"spec" : {
"rules" : [
{
"name" : "match.roles" ,
"match" : {
"roles" : [
"a" ,
"b"
]
}
}
]
}
}
` )
var policy * kyverno . ClusterPolicy
err = json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
err = ContainsUserInfo ( * policy )
2020-02-14 11:59:28 -08:00
assert . Equal ( t , err . Error ( ) , "userInfo variable used at path: spec/rules[0]/match/roles" )
2019-12-30 17:08:50 -08:00
}
func Test_BackGroundUserInfo_match_clusterRoles ( t * testing . T ) {
var err error
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "disallow-root-user"
} ,
"spec" : {
"rules" : [
{
"name" : "match.clusterRoles" ,
"match" : {
"clusterRoles" : [
"a" ,
"b"
]
}
}
]
}
}
` )
var policy * kyverno . ClusterPolicy
err = json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
err = ContainsUserInfo ( * policy )
2020-02-14 11:59:28 -08:00
assert . Equal ( t , err . Error ( ) , "userInfo variable used at path: spec/rules[0]/match/clusterRoles" )
2019-12-30 17:08:50 -08:00
}
func Test_BackGroundUserInfo_match_subjects ( t * testing . T ) {
var err error
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "disallow-root-user"
} ,
"spec" : {
"rules" : [
{
"name" : "match.subjects" ,
"match" : {
"subjects" : [
{
"Name" : "a"
} ,
{
"Name" : "b"
}
]
}
}
]
}
} ` )
var policy * kyverno . ClusterPolicy
err = json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
err = ContainsUserInfo ( * policy )
2020-02-14 11:59:28 -08:00
assert . Equal ( t , err . Error ( ) , "userInfo variable used at path: spec/rules[0]/match/subjects" )
2019-12-30 17:08:50 -08:00
}
func Test_BackGroundUserInfo_mutate_overlay1 ( t * testing . T ) {
var err error
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "disallow-root-user"
} ,
"spec" : {
"rules" : [
{
"name" : "mutate.overlay1" ,
"mutate" : {
"overlay" : {
"var1" : "{{request.userInfo}}"
}
}
}
]
}
}
` )
var policy * kyverno . ClusterPolicy
err = json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
err = ContainsUserInfo ( * policy )
2020-02-14 11:59:28 -08:00
if err . Error ( ) != "userInfo variable used at spec/rules[0]/mutate/overlay" {
2019-12-30 17:08:50 -08:00
t . Log ( err )
t . Error ( "Incorrect Path" )
}
}
func Test_BackGroundUserInfo_mutate_overlay2 ( t * testing . T ) {
var err error
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "disallow-root-user"
} ,
"spec" : {
"rules" : [
{
"name" : "mutate.overlay2" ,
"mutate" : {
"overlay" : {
"var1" : "{{request.userInfo.userName}}"
}
}
}
]
}
}
` )
var policy * kyverno . ClusterPolicy
err = json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
err = ContainsUserInfo ( * policy )
2020-02-14 11:59:28 -08:00
if err . Error ( ) != "userInfo variable used at spec/rules[0]/mutate/overlay" {
2019-12-30 17:08:50 -08:00
t . Log ( err )
t . Error ( "Incorrect Path" )
}
}
func Test_BackGroundUserInfo_validate_pattern ( t * testing . T ) {
var err error
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "disallow-root-user"
} ,
"spec" : {
"rules" : [
{
"name" : "validate.overlay" ,
"validate" : {
"pattern" : {
"var1" : "{{request.userInfo}}"
}
}
}
]
}
}
` )
var policy * kyverno . ClusterPolicy
err = json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
err = ContainsUserInfo ( * policy )
2020-02-14 11:59:28 -08:00
if err . Error ( ) != "userInfo variable used at spec/rules[0]/validate/pattern" {
2019-12-30 17:08:50 -08:00
t . Log ( err )
t . Error ( "Incorrect Path" )
}
}
func Test_BackGroundUserInfo_validate_anyPattern ( t * testing . T ) {
var err error
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "disallow-root-user"
} ,
"spec" : {
"rules" : [
{
"name" : "validate.anyPattern" ,
"validate" : {
"anyPattern" : [
{
"var1" : "temp"
} ,
{
"var1" : "{{request.userInfo}}"
}
]
}
}
]
}
} ` )
var policy * kyverno . ClusterPolicy
err = json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
err = ContainsUserInfo ( * policy )
2020-02-14 11:59:28 -08:00
if err . Error ( ) != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
2019-12-30 17:08:50 -08:00
t . Log ( err )
t . Error ( "Incorrect Path" )
}
}
2020-01-13 18:56:11 -08:00
func Test_BackGroundUserInfo_validate_anyPattern_multiple_var ( t * testing . T ) {
var err error
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "disallow-root-user"
} ,
"spec" : {
"rules" : [
{
"name" : "validate.anyPattern" ,
"validate" : {
"anyPattern" : [
{
"var1" : "temp"
} ,
{
"var1" : "{{request.userInfo}}-{{temp}}"
}
]
}
}
]
}
} ` )
var policy * kyverno . ClusterPolicy
err = json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
err = ContainsUserInfo ( * policy )
2020-02-14 11:59:28 -08:00
if err . Error ( ) != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
2020-01-13 18:56:11 -08:00
t . Log ( err )
t . Error ( "Incorrect Path" )
}
}
func Test_BackGroundUserInfo_validate_anyPattern_serviceAccount ( t * testing . T ) {
var err error
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "disallow-root-user"
} ,
"spec" : {
"rules" : [
{
"name" : "validate.anyPattern" ,
"validate" : {
"anyPattern" : [
{
"var1" : "temp"
} ,
{
"var1" : "{{serviceAccountName}}"
}
]
}
}
]
}
} ` )
var policy * kyverno . ClusterPolicy
err = json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
err = ContainsUserInfo ( * policy )
2020-02-14 11:59:28 -08:00
if err . Error ( ) != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
2020-01-13 18:56:11 -08:00
t . Log ( err )
t . Error ( "Incorrect Path" )
}
}
2020-02-26 16:08:56 +05:30
func Test_ruleOnlyDealsWithResourceMetaData ( t * testing . T ) {
testcases := [ ] struct {
description string
rule [ ] byte
expectedOutput bool
} {
{
description : "Test mutate overlay - pass" ,
rule : [ ] byte ( ` { "name":"test","mutate": { "overlay": { "metadata": { "containers":[ { "(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}} ` ) ,
expectedOutput : true ,
} ,
{
description : "Test mutate overlay - fail" ,
rule : [ ] byte ( ` { "name":"test","mutate": { "overlay": { "spec": { "containers":[ { "(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}} ` ) ,
expectedOutput : false ,
} ,
{
description : "Test mutate patch - pass" ,
rule : [ ] byte ( ` { "name":"testPatches","mutate": { "patches":[ { "path":"/metadata/labels/isMutated","op":"add","value":"true"}, { "path":"/metadata/labels/app","op":"replace","value":"nginx_is_mutated"}]}} ` ) ,
expectedOutput : true ,
} ,
{
description : "Test mutate patch - fail" ,
rule : [ ] byte ( ` { "name":"testPatches","mutate": { "patches":[ { "path":"/spec/labels/isMutated","op":"add","value":"true"}, { "path":"/metadata/labels/app","op":"replace","value":"nginx_is_mutated"}]}} ` ) ,
expectedOutput : false ,
} ,
{
description : "Test validate - pass" ,
rule : [ ] byte ( ` { "name":"testValidate","validate": { "message":"CPU and memory resource requests and limits are required","pattern": { "metadata": { "containers":[ { "(name)":"*","ports":[ { "containerPort":80}]}]}}}} ` ) ,
expectedOutput : true ,
} ,
{
description : "Test validate - fail" ,
rule : [ ] byte ( ` { "name":"testValidate","validate": { "message":"CPU and memory resource requests and limits are required","pattern": { "spec": { "containers":[ { "(name)":"*","ports":[ { "containerPort":80}]}]}}}} ` ) ,
expectedOutput : false ,
} ,
{
description : "Test validate any pattern - pass" ,
rule : [ ] byte ( ` { "name":"testValidateAnyPattern","validate": { "message":"Volumes white list","anyPattern":[ { "metadata": { "volumes":[ { "hostPath":"*"}]}}, { "metadata": { "volumes":[ { "emptyDir":"*"}]}}, { "metadata": { "volumes":[ { "configMap":"*"}]}}]}} ` ) ,
expectedOutput : true ,
} ,
{
description : "Test validate any pattern - fail" ,
rule : [ ] byte ( ` { "name":"testValidateAnyPattern","validate": { "message":"Volumes white list","anyPattern":[ { "spec": { "volumes":[ { "hostPath":"*"}]}}, { "metadata": { "volumes":[ { "emptyDir":"*"}]}}, { "metadata": { "volumes":[ { "configMap":"*"}]}}]}} ` ) ,
expectedOutput : false ,
} ,
}
for i , testcase := range testcases {
var rule kyverno . Rule
_ = json . Unmarshal ( testcase . rule , & rule )
output := ruleOnlyDealsWithResourceMetaData ( rule )
if output != testcase . expectedOutput {
t . Errorf ( "Testcase [%d] failed" , i + 1 )
}
}
}
2020-03-20 20:23:34 +05:30
func Test_validateMatchExcludeConflict ( t * testing . T ) {
testcases := [ ] struct {
description string
rule [ ] byte
expectedError bool
} {
{
description : "Testing cluster roles - fail" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "clusterroles":["something"]}} ` ) ,
expectedError : true ,
} ,
{
description : "Testing cluster roles - pass" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "clusterroles":["something2"]}} ` ) ,
expectedError : false ,
} ,
{
description : "Testing roles - fail" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "roles":["something"]}} ` ) ,
expectedError : true ,
} ,
{
description : "Testing roles - pass" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "roles":["something2"]}} ` ) ,
expectedError : false ,
} ,
{
description : "Testing subjects - fail" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}]}} ` ) ,
expectedError : true ,
} ,
{
description : "Testing subjects - pass" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something1"}]}} ` ) ,
expectedError : false ,
} ,
{
description : "Testing resource kind - fail" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "kinds":["Pod","Namespace1"]}}} ` ) ,
expectedError : true ,
} ,
{
description : "Testing resource kind - pass" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "kinds":["Pod1","Namespace1"]}}} ` ) ,
expectedError : false ,
} ,
{
description : "Testing resource name - fail" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "name":"something"}}} ` ) ,
expectedError : true ,
} ,
{
description : "Testing resource name - pass" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "name":"something1"}}} ` ) ,
expectedError : false ,
} ,
{
description : "Testing resource namespace - fail" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "namespaces":["something2","something1"]}}} ` ) ,
expectedError : true ,
} ,
{
description : "Testing resource namespace - pass" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "namespaces":["something2","something3"]}}} ` ) ,
expectedError : false ,
} ,
{
description : "Testing resource selector label - fail" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "selector": { "matchLabels": { "memory":"high"}}}}} ` ) ,
expectedError : true ,
} ,
{
description : "Testing resource selector label - pass" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "selector": { "matchLabels": { "memory":"high1"}}}}} ` ) ,
expectedError : false ,
} ,
{
description : "Testing resource selector match expression - fail" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "selector": { "matchExpressions":[ { "key":"tier1","operator":"In","values":["database"]}, { "key":"tier","operator":"In","values":["database"]}]}}}} ` ) ,
expectedError : true ,
} ,
{
description : "Testing resource selector match expression - pass" ,
rule : [ ] byte ( ` { "name":"set-image-pull-policy-2","match": { "resources": { "kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector": { "matchLabels": { "memory":"high"},"matchExpressions":[ { "key":"tier","operator":"In","values":["database"]}]}},"subjects":[ { "name":"something","kind":"something","Namespace":"something","apiGroup":"something"}, { "name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude": { "resources": { "selector": { "matchExpressions":[ { "key":"tier1","operator":"In","values":["database"]}, { "key":"tier2","operator":"In","values":["database"]}]}}}} ` ) ,
expectedError : false ,
} ,
}
for i , testcase := range testcases {
var rule kyverno . Rule
_ = json . Unmarshal ( testcase . rule , & rule )
err := validateMatchExcludeConflict ( rule )
var gotError bool
if err != nil {
gotError = true
} else {
gotError = false
}
if gotError != testcase . expectedError {
t . Errorf ( "Testcase [%d] failed - description - %v" , i + 1 , testcase . description )
}
}
}
