From 04bc4ed7c6357f9d3ecc2f5e6b39ad3e39214ca4 Mon Sep 17 00:00:00 2001 From: Dhananjay Kumar Sharma Date: Wed, 23 Aug 2023 21:25:39 +0530 Subject: [PATCH] Migrated scenario based tests to CLI (#8055) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * migrated scenarios to cli and resolved conflicts Signed-off-by: Dhananjay Kumar Sharma * Modified Makefile Signed-off-by: Dhananjay Kumar Sharma * Update Makefile Signed-off-by: Dhananjay Kumar Sharma * Create patchedresource.yaml Signed-off-by: Dhananjay Kumar Sharma * Update kyverno-test.yaml Signed-off-by: Dhananjay Kumar Sharma * Delete test/cli/scenarios_to_cli/other /scenario_mutate_validate_qos directory Signed-off-by: Dhananjay Kumar Sharma * Update kyverno-test.yaml Signed-off-by: Dhananjay Kumar Sharma * Create patchedresource.yaml Signed-off-by: Dhananjay Kumar Sharma * Update policy.yaml Signed-off-by: Dhananjay Kumar Sharma * Update policy.yaml Signed-off-by: Dhananjay Kumar Sharma * fixes Signed-off-by: Charles-Edouard Brétéché * fixes Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Dhananjay Kumar Sharma Signed-off-by: Charles-Edouard Brétéché Co-authored-by: Charles-Edouard Brétéché --- Makefile | 7 ++- .../kyverno-test.yaml | 12 +++++ .../patchedresource.yaml | 15 ++++++ .../scenario_mutate_endpoint/policy.yaml} | 19 +++---- .../scenario_mutate_endpoint/resource.yaml} | 0 .../kyverno-test.yaml | 12 +++++ .../patchedresource.yaml} | 16 +++--- .../scenario_mutate_pod_spec/policy.yaml} | 17 ++++--- .../scenario_mutate_pod_spec/resource.yaml} | 0 .../kyverno-test.yaml | 11 ++++ .../policy.yaml} | 7 +-- .../resource.yaml} | 0 .../kyverno-test.yaml | 11 ++++ .../policy.yaml} | 14 +++--- .../resource.yaml} | 5 +- .../kyverno-test.yaml | 16 ++++++ .../policy.yaml} | 24 +++++---- .../resource.yaml} | 0 .../kyverno-test.yaml | 11 ++++ .../policy.yaml} | 9 ++-- .../resource.yaml} | 0 .../kyverno-test.yaml | 11 ++++ .../policy.yaml} | 15 +++--- .../resource.yaml} | 0 .../kyverno-test.yaml | 11 ++++ .../more/restrict_ingress_classes/policy.yaml | 23 +++++++++ .../restrict_ingress_classes/resource.yaml} | 0 .../mutate/policy_mutate_validate_qos.yaml | 50 ------------------- test/resources/disallow_host_filesystem.yaml | 18 ------- .../disallow_host_filesystem_pass.yaml | 17 ------- .../disallow_host_network_hostport.yaml | 12 ----- test/resources/disallow_hostpid_hostipc.yaml | 10 ---- test/resources/disallow_privileged.yaml | 11 ---- test/resources/ingress-haproxy.yaml | 14 ------ test/resources/pod-with-default-volume.yaml | 18 ------- test/resources/pod-with-emptydir.yaml | 14 ------ test/resources/pod-with-hostpath.yaml | 16 ------ .../require_default_network_policy.yaml | 4 -- test/resources/require_namespace_quota.yaml | 4 -- .../resource_validate_sysctl_configs.yaml | 16 ------ .../other/scenario_mutate_endpoint.yaml | 21 -------- .../other/scenario_mutate_pod_spec.yaml | 20 -------- .../other/scenario_mutate_validate_qos.yaml | 36 ------------- .../scenario_validate_default_proc_mount.yaml | 21 -------- ...idate_disallow_default_serviceaccount.yaml | 20 -------- .../other/scenario_validate_healthChecks.yaml | 24 --------- .../scenario_validate_selinux_context.yaml | 20 -------- .../scenario_validate_volume_whiltelist.yaml | 21 -------- .../best_practices/add_networkPolicy.yaml | 24 --------- .../samples/best_practices/add_ns_quota.yaml | 26 ---------- .../best_practices/add_safe_to_evict.yaml | 25 ---------- .../best_practices/add_safe_to_evict2.yaml | 25 ---------- .../best_practices/add_safe_to_evict3.yaml | 27 ---------- .../disallow_bind_mounts_fail.yaml | 20 -------- .../disallow_bind_mounts_pass.yaml | 19 ------- .../disallow_host_network_port.yaml | 22 -------- .../best_practices/disallow_host_pid_ipc.yaml | 19 ------- .../best_practices/disallow_priviledged.yaml | 22 -------- .../best_practices/disallow_sysctls.yaml | 20 -------- .../more/restrict_automount_sa_token.yaml | 19 ------- .../more/restrict_ingress_classes.yaml | 19 ------- .../samples/more/unknown_ingress_class.yaml | 19 ------- 62 files changed, 205 insertions(+), 754 deletions(-) create mode 100644 test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/kyverno-test.yaml create mode 100644 test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/patchedresource.yaml rename test/{policy/mutate/policy_mutate_endpoint.yaml => cli/scenarios_to_cli/other /scenario_mutate_endpoint/policy.yaml} (68%) rename test/{resources/resource_mutate_endpoint.yaml => cli/scenarios_to_cli/other /scenario_mutate_endpoint/resource.yaml} (100%) create mode 100644 test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/kyverno-test.yaml rename test/{resources/resource_mutate_validate_qos.yaml => cli/scenarios_to_cli/other /scenario_mutate_pod_spec/patchedresource.yaml} (54%) rename test/{policy/mutate/policy_mutate_pod_spec.yaml => cli/scenarios_to_cli/other /scenario_mutate_pod_spec/policy.yaml} (61%) rename test/{resources/resource_mutate_pod_spec.yaml => cli/scenarios_to_cli/other /scenario_mutate_pod_spec/resource.yaml} (100%) create mode 100644 test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/kyverno-test.yaml rename test/{policy/validate/policy_validate_default_proc_mount.yaml => cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/policy.yaml} (84%) rename test/{resources/resource_validate_default_proc_mount.yaml => cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/resource.yaml} (100%) create mode 100644 test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml rename test/{policy/validate/policy_validate_disallow_default_serviceaccount.yaml => cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/policy.yaml} (67%) rename test/{resources/disallow_automountingapicred.yaml => cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/resource.yaml} (64%) create mode 100644 test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/kyverno-test.yaml rename test/{policy/validate/policy_validate_healthChecks.yaml => cli/scenarios_to_cli/other /scenario_validate_healthChecks/policy.yaml} (70%) rename test/{resources/resource_validate_healthChecks.yaml => cli/scenarios_to_cli/other /scenario_validate_healthChecks/resource.yaml} (100%) create mode 100644 test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/kyverno-test.yaml rename test/{policy/validate/policy_validate_selinux_context.yaml => cli/scenarios_to_cli/other /scenario_validate_selinux_context/policy.yaml} (83%) rename test/{resources/resource_validate_selinux_context.yaml => cli/scenarios_to_cli/other /scenario_validate_selinux_context/resource.yaml} (100%) create mode 100644 test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/kyverno-test.yaml rename test/{policy/validate/policy_validate_volume_whitelist.yaml => cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/policy.yaml} (67%) rename test/{resources/resource_validate_volume_whitelist.yaml => cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/resource.yaml} (100%) create mode 100644 test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml create mode 100644 test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/policy.yaml rename test/{resources/ingress-nginx.yaml => cli/scenarios_to_cli/samples/more/restrict_ingress_classes/resource.yaml} (100%) delete mode 100644 test/policy/mutate/policy_mutate_validate_qos.yaml delete mode 100644 test/resources/disallow_host_filesystem.yaml delete mode 100644 test/resources/disallow_host_filesystem_pass.yaml delete mode 100644 test/resources/disallow_host_network_hostport.yaml delete mode 100644 test/resources/disallow_hostpid_hostipc.yaml delete mode 100644 test/resources/disallow_privileged.yaml delete mode 100644 test/resources/ingress-haproxy.yaml delete mode 100644 test/resources/pod-with-default-volume.yaml delete mode 100644 test/resources/pod-with-emptydir.yaml delete mode 100644 test/resources/pod-with-hostpath.yaml delete mode 100644 test/resources/require_default_network_policy.yaml delete mode 100644 test/resources/require_namespace_quota.yaml delete mode 100644 test/resources/resource_validate_sysctl_configs.yaml delete mode 100644 test/scenarios/other/scenario_mutate_endpoint.yaml delete mode 100644 test/scenarios/other/scenario_mutate_pod_spec.yaml delete mode 100644 test/scenarios/other/scenario_mutate_validate_qos.yaml delete mode 100644 test/scenarios/other/scenario_validate_default_proc_mount.yaml delete mode 100644 test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml delete mode 100644 test/scenarios/other/scenario_validate_healthChecks.yaml delete mode 100644 test/scenarios/other/scenario_validate_selinux_context.yaml delete mode 100644 test/scenarios/other/scenario_validate_volume_whiltelist.yaml delete mode 100644 test/scenarios/samples/best_practices/add_networkPolicy.yaml delete mode 100644 test/scenarios/samples/best_practices/add_ns_quota.yaml delete mode 100644 test/scenarios/samples/best_practices/add_safe_to_evict.yaml delete mode 100644 test/scenarios/samples/best_practices/add_safe_to_evict2.yaml delete mode 100644 test/scenarios/samples/best_practices/add_safe_to_evict3.yaml delete mode 100644 test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml delete mode 100644 test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml delete mode 100644 test/scenarios/samples/best_practices/disallow_host_network_port.yaml delete mode 100644 test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml delete mode 100644 test/scenarios/samples/best_practices/disallow_priviledged.yaml delete mode 100644 test/scenarios/samples/best_practices/disallow_sysctls.yaml delete mode 100644 test/scenarios/samples/more/restrict_automount_sa_token.yaml delete mode 100644 test/scenarios/samples/more/restrict_ingress_classes.yaml delete mode 100644 test/scenarios/samples/more/unknown_ingress_class.yaml diff --git a/Makefile b/Makefile index d7414fc404..367442f3ac 100644 --- a/Makefile +++ b/Makefile @@ -688,7 +688,7 @@ test-kuttl: $(KUTTL) ## Run kuttl tests TEST_GIT_BRANCH ?= main .PHONY: test-cli -test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry ## Run all CLI tests +test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry test-cli-scenarios-to-cli ## Run all CLI tests .PHONY: test-cli-policies test-cli-policies: $(CLI_BIN) @@ -715,6 +715,11 @@ test-cli-test-case-selector-flag: $(CLI_BIN) test-cli-registry: $(CLI_BIN) @$(CLI_BIN) test ./test/cli/registry --registry +.PHONY: test-cli-scenarios-to-cli +test-cli-scenarios-to-cli: $(CLI_BIN) + @$(CLI_BIN) test ./test/cli/scenarios_to_cli --registry + + ############# # HELM TEST # ############# diff --git a/test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/kyverno-test.yaml b/test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/kyverno-test.yaml new file mode 100644 index 0000000000..8cbe45badc --- /dev/null +++ b/test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/kyverno-test.yaml @@ -0,0 +1,12 @@ +name: policy-endpoints +policies: + - policy.yaml +resources: + - resource.yaml +results: + - policy: policy-endpoints + rule: pEP + resource: test-endpoint + patchedresource: patchedresource.yaml + kind: Endpoints + result: pass diff --git a/test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/patchedresource.yaml b/test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/patchedresource.yaml new file mode 100644 index 0000000000..2744f94a7a --- /dev/null +++ b/test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/patchedresource.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Endpoints +metadata: + creationTimestamp: + labels: + isMutated: 'true' + label: test + name: test-endpoint +subsets: +- addresses: + - ip: 192.168.10.171 + ports: + - name: secure-connection + port: 9663 + protocol: TCP diff --git a/test/policy/mutate/policy_mutate_endpoint.yaml b/test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/policy.yaml similarity index 68% rename from test/policy/mutate/policy_mutate_endpoint.yaml rename to test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/policy.yaml index 58e214d387..a401dd951c 100644 --- a/test/policy/mutate/policy_mutate_endpoint.yaml +++ b/test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/policy.yaml @@ -1,17 +1,18 @@ -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : policy-endpoints -spec : +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: policy-endpoints +spec: rules: - name: pEP match: - resources: - kinds : - - Endpoints + all: + - resources: + kinds: + - Endpoints selector: matchLabels: - label : test + label: test mutate: patchesJson6902: |- [ diff --git a/test/resources/resource_mutate_endpoint.yaml b/test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/resource.yaml similarity index 100% rename from test/resources/resource_mutate_endpoint.yaml rename to test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/resource.yaml diff --git a/test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/kyverno-test.yaml b/test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/kyverno-test.yaml new file mode 100644 index 0000000000..71dcfbfff3 --- /dev/null +++ b/test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/kyverno-test.yaml @@ -0,0 +1,12 @@ +name: mutate-pods-spec +policies: + - policy.yaml +resources: + - resource.yaml +results: + - policy: mutate-pods-spec + rule: disable-servicelink-and-token + resource: nginx-deployment + patchedresource: patchedresource.yaml + kind: Deployment + result: pass diff --git a/test/resources/resource_mutate_validate_qos.yaml b/test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/patchedresource.yaml similarity index 54% rename from test/resources/resource_mutate_validate_qos.yaml rename to test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/patchedresource.yaml index c02a3c6f5e..35fb2af487 100644 --- a/test/resources/resource_mutate_validate_qos.yaml +++ b/test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/patchedresource.yaml @@ -2,9 +2,10 @@ apiVersion: apps/v1 kind: Deployment metadata: creationTimestamp: "2020-09-21T12:56:35Z" - name: qos-demo + name: nginx-deployment labels: - test: qos + app: nginx + namespace: test-foo-aaaaaaaaa-bbbbbbbb spec: replicas: 1 selector: @@ -16,9 +17,10 @@ spec: labels: app: nginx spec: + enableServiceLinks: false + automountServiceAccountToken: false containers: - - name: nginx - image: nginx:latest - resources: - limits: - cpu: "50m" + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/policy/mutate/policy_mutate_pod_spec.yaml b/test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/policy.yaml similarity index 61% rename from test/policy/mutate/policy_mutate_pod_spec.yaml rename to test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/policy.yaml index bc57ebfeb3..688d4788df 100644 --- a/test/policy/mutate/policy_mutate_pod_spec.yaml +++ b/test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/policy.yaml @@ -6,14 +6,15 @@ spec: rules: - name: "disable-servicelink-and-token" match: - resources: - kinds: - - DaemonSet - - Deployment - - Job - - StatefulSet - namespaces: - - test-foo-* + all: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - StatefulSet + namespaces: + - test-foo-* mutate: patchStrategicMerge: spec: diff --git a/test/resources/resource_mutate_pod_spec.yaml b/test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/resource.yaml similarity index 100% rename from test/resources/resource_mutate_pod_spec.yaml rename to test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/resource.yaml diff --git a/test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/kyverno-test.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/kyverno-test.yaml new file mode 100644 index 0000000000..6489456141 --- /dev/null +++ b/test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/kyverno-test.yaml @@ -0,0 +1,11 @@ +name: validate-default-proc-mount +policies: + - policy.yaml +resources: + - resource.yaml +results: + - policy: validate-default-proc-mount + rule: validate-default-proc-mount + resource: nginx-proc-mount + kind: Pod + result: pass \ No newline at end of file diff --git a/test/policy/validate/policy_validate_default_proc_mount.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/policy.yaml similarity index 84% rename from test/policy/validate/policy_validate_default_proc_mount.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/policy.yaml index 945200c8c4..6d6c719bb6 100644 --- a/test/policy/validate/policy_validate_default_proc_mount.yaml +++ b/test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/policy.yaml @@ -7,9 +7,10 @@ spec: rules: - name: validate-default-proc-mount match: - resources: - kinds: - - Pod + all: + - resources: + kinds: + - Pod validate: message: "Default proc mount should set to Unmasked" pattern: diff --git a/test/resources/resource_validate_default_proc_mount.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/resource.yaml similarity index 100% rename from test/resources/resource_validate_default_proc_mount.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/resource.yaml diff --git a/test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml new file mode 100644 index 0000000000..220fd5443e --- /dev/null +++ b/test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml @@ -0,0 +1,11 @@ +name: validate-disallow-default-serviceaccount +policies: + - policy.yaml +resources: + - resource.yaml +results: + - policy: validate-disallow-default-serviceaccount + rule: prevent-mounting-default-serviceaccount + resource: pod-with-default-sa + kind: Pod + result: fail \ No newline at end of file diff --git a/test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/policy.yaml similarity index 67% rename from test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/policy.yaml index e07e32e1d8..dd926609e6 100644 --- a/test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml +++ b/test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/policy.yaml @@ -6,13 +6,15 @@ spec: rules: - name: prevent-mounting-default-serviceaccount exclude: - resources: - namespaces: - - kube-system + all: + - resources: + namespaces: + - kube-system match: - resources: - kinds: - - Pod + all: + - resources: + kinds: + - Pod validate: message: "Prevent mounting of default service account" pattern: diff --git a/test/resources/disallow_automountingapicred.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/resource.yaml similarity index 64% rename from test/resources/disallow_automountingapicred.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/resource.yaml index 301afe5493..00897c4a36 100644 --- a/test/resources/disallow_automountingapicred.yaml +++ b/test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/resource.yaml @@ -1,12 +1,11 @@ apiVersion: v1 kind: Pod metadata: - name: myapp-pod + name: pod-with-default-sa labels: - app: myapp + app: pod-with-default-sa spec: serviceAccountName: default - automountServiceAccountToken: false containers: - name: nginx image: nginx \ No newline at end of file diff --git a/test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/kyverno-test.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/kyverno-test.yaml new file mode 100644 index 0000000000..7b7d2ee1a2 --- /dev/null +++ b/test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/kyverno-test.yaml @@ -0,0 +1,16 @@ +name: check-probe-exists +policies: + - policy.yaml +resources: + - resource.yaml +results: + - policy: check-probe-exists + rule: check-readinessProbe-exists + resource: probe + kind: Pod + result: pass + - policy: check-probe-exists + rule: check-livenessProbe-exists + resource: probe + kind: Pod + result: pass \ No newline at end of file diff --git a/test/policy/validate/policy_validate_healthChecks.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/policy.yaml similarity index 70% rename from test/policy/validate/policy_validate_healthChecks.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/policy.yaml index dc8f03c736..fdd9c5e62f 100644 --- a/test/policy/validate/policy_validate_healthChecks.yaml +++ b/test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/policy.yaml @@ -1,14 +1,15 @@ -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: name: check-probe-exists spec: rules: - name: check-readinessProbe-exists match: - resources: - kinds : - - Pod + all: + - resources: + kinds: + - Pod validate: message: "readinessProbe is required" pattern: @@ -18,10 +19,11 @@ spec: readinessProbe: successThreshold: ">1" - name: check-livenessProbe-exists - match: - resources: - kinds : - - Pod + match: + all: + - resources: + kinds: + - Pod validate: message: "livenessProbe is required" pattern: @@ -32,4 +34,4 @@ spec: httpGet: path: "?*" port: "*" - scheme: "?*" + scheme: "?*" \ No newline at end of file diff --git a/test/resources/resource_validate_healthChecks.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/resource.yaml similarity index 100% rename from test/resources/resource_validate_healthChecks.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/resource.yaml diff --git a/test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/kyverno-test.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/kyverno-test.yaml new file mode 100644 index 0000000000..b03c3de4ca --- /dev/null +++ b/test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/kyverno-test.yaml @@ -0,0 +1,11 @@ +name: validate-selinux-options +policies: + - policy.yaml +resources: + - resource.yaml +results: + - policy: validate-selinux-options + rule: validate-selinux-options + resource: busybox-selinux + kind: Pod + result: fail \ No newline at end of file diff --git a/test/policy/validate/policy_validate_selinux_context.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/policy.yaml similarity index 83% rename from test/policy/validate/policy_validate_selinux_context.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/policy.yaml index 7e01f44171..d481936748 100644 --- a/test/policy/validate/policy_validate_selinux_context.yaml +++ b/test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/policy.yaml @@ -7,9 +7,10 @@ spec: rules: - name: validate-selinux-options match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: message: "SELinux level is required" pattern: @@ -17,7 +18,7 @@ spec: containers: - securityContext: seLinuxOptions: - level: "*" + level: "?*" # level: "s0:c25,c968" # If SELinux security module is loaded on the host operating system, # we can make sure pods only have access to specified configured level \ No newline at end of file diff --git a/test/resources/resource_validate_selinux_context.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/resource.yaml similarity index 100% rename from test/resources/resource_validate_selinux_context.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/resource.yaml diff --git a/test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/kyverno-test.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/kyverno-test.yaml new file mode 100644 index 0000000000..d15f46d3cd --- /dev/null +++ b/test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/kyverno-test.yaml @@ -0,0 +1,11 @@ +name: validate-volumes-whitelist +policies: + - policy.yaml +resources: + - resource.yaml +results: +- policy: validate-volumes-whitelist + rule: validate-volumes-whitelist + resource: test-volumes + kind: Pod + result: pass diff --git a/test/policy/validate/policy_validate_volume_whitelist.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/policy.yaml similarity index 67% rename from test/policy/validate/policy_validate_volume_whitelist.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/policy.yaml index f5a1950cf9..83d29af5b7 100644 --- a/test/policy/validate/policy_validate_volume_whitelist.yaml +++ b/test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/policy.yaml @@ -1,4 +1,4 @@ -apiVersion : kyverno.io/v1 +apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: validate-volumes-whitelist @@ -7,11 +7,12 @@ spec: rules: - name: validate-volumes-whitelist match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: - message: "Volumes white list" + message: "Volume type is not of type hostPath, emptyDir, or configMap." anyPattern: - spec: volumes: @@ -22,7 +23,3 @@ spec: - spec: volumes: - configMap: "*" - - - - diff --git a/test/resources/resource_validate_volume_whitelist.yaml b/test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/resource.yaml similarity index 100% rename from test/resources/resource_validate_volume_whitelist.yaml rename to test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/resource.yaml diff --git a/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml b/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml new file mode 100644 index 0000000000..4c4adc26dd --- /dev/null +++ b/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml @@ -0,0 +1,11 @@ +name: restrict-ingress-classes +policies: + - policy.yaml +resources: + - resource.yaml +results: + - policy: restrict-ingress-classes + rule: validate-ingress + resource: test-ingress + kind: Ingress + result: pass \ No newline at end of file diff --git a/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/policy.yaml b/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/policy.yaml new file mode 100644 index 0000000000..6d1c125177 --- /dev/null +++ b/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-ingress-classes + annotations: + policies.kyverno.io/category: Workload Management + policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of + known ingress classes that are allowed in the cluster. You can customize this policy to + allow ingress classes that are configured in the cluster. +spec: + rules: + - name: validate-ingress + match: + any: + - resources: + kinds: + - Ingress + validate: + message: "Unknown ingress class" + pattern: + metadata: + annotations: + kubernetes.io/ingress.class: "F5 | nginx" diff --git a/test/resources/ingress-nginx.yaml b/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/resource.yaml similarity index 100% rename from test/resources/ingress-nginx.yaml rename to test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/resource.yaml diff --git a/test/policy/mutate/policy_mutate_validate_qos.yaml b/test/policy/mutate/policy_mutate_validate_qos.yaml deleted file mode 100644 index a5d49030e5..0000000000 --- a/test/policy/mutate/policy_mutate_validate_qos.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion : kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: policy-qos -spec: -# validationFailureAction: "audit" - rules: - - name: add-memory-limit - match: - resources: - kinds: - - Deployment - selector : - matchLabels: - test: qos - mutate: - patchStrategicMerge: - spec: - template: - spec: - containers: - # the wildcard * will match all containers in the list - - (name): "*" - resources: - limits: - # add memory limit if it is not exist - "+(memory)": "300Mi" - "+(cpu)": "100" - - name: check-cpu-memory-limits - match: - resources: - kinds: - - Deployment - selector : - matchLabels: - test: qos - validate: - message: "Resource limits are required for CPU and memory" - pattern: - spec: - template: - spec: - containers: - # match all containers - - (name): "*" - resources: - limits: - # cpu and memory are required - memory: "?*" - cpu: "?*" diff --git a/test/resources/disallow_host_filesystem.yaml b/test/resources/disallow_host_filesystem.yaml deleted file mode 100644 index 17fea26480..0000000000 --- a/test/resources/disallow_host_filesystem.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: "v1" -kind: "Pod" -metadata: - name: "image-with-hostpath" - labels: - app.type: "prod" - namespace: "my-namespace" -spec: - containers: - - name: "image-with-hostpath" - image: "docker.io/nautiker/curl" - volumeMounts: - - name: "var-lib-etcd" - mountPath: "/var/lib" - volumes: - - name: "var-lib-etcd" - hostPath: - path: "/var/lib" \ No newline at end of file diff --git a/test/resources/disallow_host_filesystem_pass.yaml b/test/resources/disallow_host_filesystem_pass.yaml deleted file mode 100644 index 8cf7113715..0000000000 --- a/test/resources/disallow_host_filesystem_pass.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: "v1" -kind: "Pod" -metadata: - name: "image-with-hostpath" - labels: - app.type: "prod" - namespace: "my-namespace" -spec: - containers: - - name: "image-with-hostpath" - image: "docker.io/nautiker/curl" - volumeMounts: - - name: "var-lib-etcd" - mountPath: "/var/lib" - volumes: - - name: "var-lib-etcd" - emptyDir: {} \ No newline at end of file diff --git a/test/resources/disallow_host_network_hostport.yaml b/test/resources/disallow_host_network_hostport.yaml deleted file mode 100644 index c1a4ef412a..0000000000 --- a/test/resources/disallow_host_network_hostport.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: nginx-host-network -spec: - hostNetwork: false - containers: - - name: nginx-host-network - image: nginx - ports: - - containerPort: 80 - hostPort: 80 \ No newline at end of file diff --git a/test/resources/disallow_hostpid_hostipc.yaml b/test/resources/disallow_hostpid_hostipc.yaml deleted file mode 100644 index cd97c891ec..0000000000 --- a/test/resources/disallow_hostpid_hostipc.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: nginx-with-hostpid -spec: - hostPID: false - hostIPC: true - containers: - - name: nginx - image: nginx diff --git a/test/resources/disallow_privileged.yaml b/test/resources/disallow_privileged.yaml deleted file mode 100644 index 983e5463a5..0000000000 --- a/test/resources/disallow_privileged.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: check-privileged-cfg -spec: - containers: - - name: check-privileged-cfg - image: nginxinc/nginx-unprivileged - securityContext: - allowPrivilegeEscalation: true - privileged: true diff --git a/test/resources/ingress-haproxy.yaml b/test/resources/ingress-haproxy.yaml deleted file mode 100644 index 0c778ca2ef..0000000000 --- a/test/resources/ingress-haproxy.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: test-ingress - annotations: - kubernetes.io/ingress.class: haproxy -spec: - rules: - - http: - paths: - - path: /testpath - backend: - serviceName: test - servicePort: 80 diff --git a/test/resources/pod-with-default-volume.yaml b/test/resources/pod-with-default-volume.yaml deleted file mode 100644 index e5923a9d4b..0000000000 --- a/test/resources/pod-with-default-volume.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-default-volume - creationTimestamp: "2020-09-21T12:56:35Z" -spec: - containers: - - image: registry.k8s.io/test-webserver - name: test-container - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: default-token-wkknl - readOnly: true - volumes: - - name: default-token-wkknl - secret: - defaultMode: 420 - secretName: default-token-wkknl \ No newline at end of file diff --git a/test/resources/pod-with-emptydir.yaml b/test/resources/pod-with-emptydir.yaml deleted file mode 100644 index dceae47f3b..0000000000 --- a/test/resources/pod-with-emptydir.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-emptydir -spec: - containers: - - image: registry.k8s.io/test-webserver - name: test-container - volumeMounts: - - mountPath: /cache - name: cache-volume - volumes: - - name: cache-volume - emptyDir: {} diff --git a/test/resources/pod-with-hostpath.yaml b/test/resources/pod-with-hostpath.yaml deleted file mode 100644 index 45696c9cbe..0000000000 --- a/test/resources/pod-with-hostpath.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-hostpath - annotations: -spec: - containers: - - image: registry.k8s.io/test-webserver - name: test-container - volumeMounts: - - mountPath: /tmp/foo - name: host-volume - volumes: - - name: host-volume - hostPath: - path: "/tmp/foo" diff --git a/test/resources/require_default_network_policy.yaml b/test/resources/require_default_network_policy.yaml deleted file mode 100644 index f2b52db070..0000000000 --- a/test/resources/require_default_network_policy.yaml +++ /dev/null @@ -1,4 +0,0 @@ -kind: Namespace -apiVersion: v1 -metadata: - name: "devtest" \ No newline at end of file diff --git a/test/resources/require_namespace_quota.yaml b/test/resources/require_namespace_quota.yaml deleted file mode 100644 index 5d2e46b373..0000000000 --- a/test/resources/require_namespace_quota.yaml +++ /dev/null @@ -1,4 +0,0 @@ -kind: Namespace -apiVersion: v1 -metadata: - name: "test-namespace-quota" \ No newline at end of file diff --git a/test/resources/resource_validate_sysctl_configs.yaml b/test/resources/resource_validate_sysctl_configs.yaml deleted file mode 100644 index 15e5464038..0000000000 --- a/test/resources/resource_validate_sysctl_configs.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: nginx - labels: - name: nginx -spec: - containers: - - name: nginx - image: nginx - ports: - - containerPort: 80 - securityContext: - sysctls: - - name: net.ipv4.ip_local_port_range - value: "50 65535" \ No newline at end of file diff --git a/test/scenarios/other/scenario_mutate_endpoint.yaml b/test/scenarios/other/scenario_mutate_endpoint.yaml deleted file mode 100644 index 25145405da..0000000000 --- a/test/scenarios/other/scenario_mutate_endpoint.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# file path relative to project root -input: - policy: test/policy/mutate/policy_mutate_endpoint.yaml - resource: test/resources/resource_mutate_endpoint.yaml -expected: - mutation: - patchedresource: test/output/output_mutate_endpoint.yaml - policyresponse: - policy: - namespace: '' - name: policy-endpoints - resource: - kind: Endpoints - apiVersion: v1 - namespace: '' - name: test-endpoint - rules: - - name: pEP - type: Mutation - status: pass - message: mutated Endpoints/test-endpoint diff --git a/test/scenarios/other/scenario_mutate_pod_spec.yaml b/test/scenarios/other/scenario_mutate_pod_spec.yaml deleted file mode 100644 index bf7007f831..0000000000 --- a/test/scenarios/other/scenario_mutate_pod_spec.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# file path relative to project root -input: - policy: test/policy/mutate/policy_mutate_pod_spec.yaml - resource: test/resources/resource_mutate_pod_spec.yaml -expected: - mutation: - patchedresource: test/output/output_mutate_pod_spec.yaml - policyresponse: - policy: - name: mutate-pods-spec - resource: - kind: Deployment - apiVersion: apps/v1 - namespace: test-foo-aaaaaaaaa-bbbbbbbb - name: nginx-deployment - rules: - - name: disable-servicelink-and-token - type: Mutation - status: pass - message: mutated Deployment/nginx-deployment in namespace test-foo-aaaaaaaaa-bbbbbbbb \ No newline at end of file diff --git a/test/scenarios/other/scenario_mutate_validate_qos.yaml b/test/scenarios/other/scenario_mutate_validate_qos.yaml deleted file mode 100644 index 25f933cee0..0000000000 --- a/test/scenarios/other/scenario_mutate_validate_qos.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# file path is relative to project root -input: - policy: test/policy/mutate/policy_mutate_validate_qos.yaml - resource: test/resources/resource_mutate_validate_qos.yaml -expected: - mutation: - patchedresource: test/output/output_mutate_validate_qos.yaml - policyresponse: - policy: - namespace: '' - name: policy-qos - resource: - kind: Deployment - apiVersion: apps/v1 - namespace: '' - name: qos-demo - rules: - - name: add-memory-limit - type: Mutation - status: pass - message: mutated Deployment/qos-demo - validation: - policyresponse: - policy: - namespace: '' - name: policy-qos - resource: - kind: Deployment - apiVersion: apps/v1 - namespace: '' - name: qos-demo - rules: - - name: check-cpu-memory-limits - type: Validation - message: validation rule 'check-cpu-memory-limits' passed. - status: pass \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_default_proc_mount.yaml b/test/scenarios/other/scenario_validate_default_proc_mount.yaml deleted file mode 100644 index 0a32ba778b..0000000000 --- a/test/scenarios/other/scenario_validate_default_proc_mount.yaml +++ /dev/null @@ -1,21 +0,0 @@ - -# file path relative to project root -input: - policy: test/policy/validate/policy_validate_default_proc_mount.yaml - resource: test/resources/resource_validate_default_proc_mount.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: validate-default-proc-mount - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: nginx-proc-mount - rules: - - name: validate-default-proc-mount - type: Validation - message: "validation rule 'validate-default-proc-mount' passed." - status: pass \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml deleted file mode 100644 index 636ac9290f..0000000000 --- a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# file path relative to project root -input: - policy: test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml - resource: test/resources/resource_validate_disallow_default_serviceaccount.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: validate-disallow-default-serviceaccount - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: pod-with-default-sa - rules: - - name: prevent-mounting-default-serviceaccount - type: Validation - message: "validation error: Prevent mounting of default service account. rule prevent-mounting-default-serviceaccount failed at path /spec/serviceAccountName/" - status: fail \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_healthChecks.yaml b/test/scenarios/other/scenario_validate_healthChecks.yaml deleted file mode 100644 index 7f73be242f..0000000000 --- a/test/scenarios/other/scenario_validate_healthChecks.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# file path relative to project root -input: - policy: test/policy/validate/policy_validate_healthChecks.yaml - resource: test/resources/resource_validate_healthChecks.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: check-probe-exists - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: probe - rules: - - name: check-readinessProbe-exists - type: Validation - message: validation rule 'check-readinessProbe-exists' passed. - status: pass - - name: check-livenessProbe-exists - type: Validation - message: validation rule 'check-livenessProbe-exists' passed. - status: pass diff --git a/test/scenarios/other/scenario_validate_selinux_context.yaml b/test/scenarios/other/scenario_validate_selinux_context.yaml deleted file mode 100644 index fbff77d02b..0000000000 --- a/test/scenarios/other/scenario_validate_selinux_context.yaml +++ /dev/null @@ -1,20 +0,0 @@ - -# file path relative to project root -input: - policy: test/policy/validate/policy_validate_selinux_context.yaml - resource: test/resources/resource_validate_selinux_context.yaml -expected: - validation: - policyresponse: - policy: - name: validate-selinux-options - resource: - kind: Pod - apiVersion: v1 - namespace: default - name: busybox-selinux - rules: - - name: validate-selinux-options - type: Validation - message: "validation error: SELinux level is required. rule validate-selinux-options failed at path /spec/containers/0/securityContext/seLinuxOptions/" - status: fail \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_volume_whiltelist.yaml b/test/scenarios/other/scenario_validate_volume_whiltelist.yaml deleted file mode 100644 index 14ddacdbff..0000000000 --- a/test/scenarios/other/scenario_validate_volume_whiltelist.yaml +++ /dev/null @@ -1,21 +0,0 @@ - -# file path relative to project root -input: - policy: test/policy/validate/policy_validate_volume_whitelist.yaml - resource: test/resources/resource_validate_volume_whitelist.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: validate-volumes-whitelist - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: test-volumes - rules: - - name: validate-volumes-whitelist - type: Validation - message: "validation rule 'validate-volumes-whitelist' anyPattern[2] passed." - status: pass \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/add_networkPolicy.yaml b/test/scenarios/samples/best_practices/add_networkPolicy.yaml deleted file mode 100644 index eb3ff0823e..0000000000 --- a/test/scenarios/samples/best_practices/add_networkPolicy.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# file path relative to project root -input: - policy: test/best_practices/add_network_policy.yaml - resource: test/resources/require_default_network_policy.yaml -expected: - generation: - generatedResources: - - name: default-deny-ingress - kind: NetworkPolicy - namespace: devtest - policyresponse: - policy: - namespace: '' - name: add-networkpolicy - resource: - kind: Namespace - apiVersion: v1 - namespace: '' - name: devtest - rules: - - name: default-deny-ingress - type: Generation - status: pass - message: created resource NetworkPolicy/devtest/default-deny-ingress diff --git a/test/scenarios/samples/best_practices/add_ns_quota.yaml b/test/scenarios/samples/best_practices/add_ns_quota.yaml deleted file mode 100644 index 2119b2a656..0000000000 --- a/test/scenarios/samples/best_practices/add_ns_quota.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# file path relative to project root -input: - policy: test/best_practices/add_ns_quota.yaml - resource: test/resources/require_namespace_quota.yaml -expected: - generation: - generatedResources: - - name: default-resourcequota - kind: ResourceQuota - namespace: test-namespace-quota - policyresponse: - policy: - namespace: '' - name: add-ns-quota - resource: - kind: Namespace - apiVersion: v1 - namespace: '' - name: test-namespace-quota - rules: - - name: generate-resourcequota - type: Generation - status: pass - - name: generate-limitrange - type: Generation - status: pass diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict.yaml deleted file mode 100644 index b9703a3e9d..0000000000 --- a/test/scenarios/samples/best_practices/add_safe_to_evict.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# file path is relative to project root -input: - policy: test/best_practices/add_safe_to_evict.yaml - resource: test/resources/pod-with-emptydir.yaml -expected: - mutation: - patchedresource: test/output/pod-with-emptydir.yaml - policyresponse: - policy: - namespace: '' - name: add-safe-to-evict - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: pod-with-emptydir - rules: - - name: annotate-empty-dir - type: Mutation - status: pass - message: "mutated Pod/pod-with-emptydir" - - name: annotate-host-path - type: Mutation - status: skip - message: "no patches applied" \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml deleted file mode 100644 index 6c6c97d722..0000000000 --- a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# file path is relative to project root -input: - policy: test/best_practices/add_safe_to_evict.yaml - resource: test/resources/pod-with-hostpath.yaml -expected: - mutation: - patchedresource: test/output/pod-with-hostpath.yaml - policyresponse: - policy: - namespace: '' - name: add-safe-to-evict - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: pod-with-hostpath - rules: - - name: annotate-empty-dir - type: Mutation - status: skip - message: "no patches applied" - - name: annotate-host-path - type: Mutation - status: pass - message: "mutated Pod/pod-with-hostpath" \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict3.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict3.yaml deleted file mode 100644 index e181283bf1..0000000000 --- a/test/scenarios/samples/best_practices/add_safe_to_evict3.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# file path is relative to project root -input: - policy: test/best_practices/add_safe_to_evict.yaml - resource: test/resources/pod-with-default-volume.yaml -expected: - mutation: - patchedresource: test/output/pod-with-default-volume.yaml - policyresponse: - policy: - namespace: '' - name: add-safe-to-evict - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: pod-with-default-volume - rules: - - name: annotate-empty-dir - type: Mutation - status: skip - message: "no patches applied" - - name: annotate-host-path - type: Mutation - status: skip - message: "no patches applied" - - \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml deleted file mode 100644 index f2505cb9b8..0000000000 --- a/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# file path relative to project root -input: - policy: test/best_practices/disallow_bind_mounts.yaml - resource: test/resources/disallow_host_filesystem.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: disallow-bind-mounts - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: image-with-hostpath - rules: - - name: validate-hostPath - message: "validation error: Host path volumes are not allowed. rule validate-hostPath failed at path /spec/volumes/0/hostPath/" - type: Validation - status: fail diff --git a/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml deleted file mode 100644 index ec46f5519d..0000000000 --- a/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# file path relative to project root -input: - policy: test/best_practices/disallow_bind_mounts.yaml - resource: test/resources/disallow_host_filesystem_pass.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: disallow-bind-mounts - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: image-with-hostpath - rules: - - name: validate-hostPath - type: Validation - status: pass \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_host_network_port.yaml b/test/scenarios/samples/best_practices/disallow_host_network_port.yaml deleted file mode 100644 index 951fe703a1..0000000000 --- a/test/scenarios/samples/best_practices/disallow_host_network_port.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# file path relative to project root -input: - policy: test/best_practices/disallow_host_network_port.yaml - resource: test/resources/disallow_host_network_hostport.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: disallow-host-network-port - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: "nginx-host-network" - rules: - - name: validate-host-network - type: Validation - status: pass - - name: validate-host-port - type: Validation - status: fail \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml b/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml deleted file mode 100644 index f91881b9b5..0000000000 --- a/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# file path relative to project root -input: - policy: test/best_practices/disallow_host_pid_ipc.yaml - resource: test/resources/disallow_hostpid_hostipc.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: disallow-host-pid-ipc - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: "nginx-with-hostpid" - rules: - - name: validate-hostPID-hostIPC - type: Validation - status: fail \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_priviledged.yaml b/test/scenarios/samples/best_practices/disallow_priviledged.yaml deleted file mode 100644 index f3612c8292..0000000000 --- a/test/scenarios/samples/best_practices/disallow_priviledged.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# file path relative to project root -input: - policy: test/best_practices/disallow_privileged.yaml - resource: test/resources/disallow_privileged.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: disallow-privileged - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: check-privileged-cfg - rules: - - name: validate-privileged - type: Validation - status: fail - - name: validate-allowPrivilegeEscalation - type: Validation - status: fail \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_sysctls.yaml b/test/scenarios/samples/best_practices/disallow_sysctls.yaml deleted file mode 100644 index 8b18ac01df..0000000000 --- a/test/scenarios/samples/best_practices/disallow_sysctls.yaml +++ /dev/null @@ -1,20 +0,0 @@ - -# file path relative to project root -input: - policy: test/best_practices/disallow_sysctls.yaml - resource: test/resources/resource_validate_sysctl_configs.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: disallow-sysctls - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: nginx - rules: - - name: validate-sysctls - type: Validation - status: fail \ No newline at end of file diff --git a/test/scenarios/samples/more/restrict_automount_sa_token.yaml b/test/scenarios/samples/more/restrict_automount_sa_token.yaml deleted file mode 100644 index 0dabe29a84..0000000000 --- a/test/scenarios/samples/more/restrict_automount_sa_token.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# file path relative to project root -input: - policy: test/more/restrict_automount_sa_token.yaml - resource: test/resources/disallow_automountingapicred.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: restrict-automount-sa-token - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: myapp-pod - rules: - - name: validate-automountServiceAccountToken - type: Validation - status: pass \ No newline at end of file diff --git a/test/scenarios/samples/more/restrict_ingress_classes.yaml b/test/scenarios/samples/more/restrict_ingress_classes.yaml deleted file mode 100644 index 9bd0be41f8..0000000000 --- a/test/scenarios/samples/more/restrict_ingress_classes.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# file path relative to project root -input: - policy: test/more/restrict_ingress_classes.yaml - resource: test/resources/ingress-nginx.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: restrict-ingress-classes - resource: - kind: Ingress - apiVersion: v1 - namespace: '' - name: test-ingress - rules: - - name: validate-ingress - type: Validation - status: pass \ No newline at end of file diff --git a/test/scenarios/samples/more/unknown_ingress_class.yaml b/test/scenarios/samples/more/unknown_ingress_class.yaml deleted file mode 100644 index cd1d172250..0000000000 --- a/test/scenarios/samples/more/unknown_ingress_class.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# file path relative to project root -input: - policy: test/more/restrict_ingress_classes.yaml - resource: test/resources/ingress-haproxy.yaml -expected: - validation: - policyresponse: - policy: - namespace: '' - name: restrict-ingress-classes - resource: - kind: Ingress - apiVersion: v1 - namespace: '' - name: test-ingress - rules: - - name: validate-ingress - type: Validation - status: fail \ No newline at end of file