Migrated scenario based tests to CLI (#8055)

* migrated scenarios to cli and resolved conflicts

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Modified Makefile

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update Makefile

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Create patchedresource.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update kyverno-test.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Delete test/cli/scenarios_to_cli/other /scenario_mutate_validate_qos directory

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update kyverno-test.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Create patchedresource.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update policy.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update policy.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Makefile

@@ -688,7 +688,7 @@ test-kuttl: $(KUTTL) ## Run kuttl tests
 TEST_GIT_BRANCH ?= main
 
 .PHONY: test-cli
-test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry ## Run all CLI tests
+test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry test-cli-scenarios-to-cli ## Run all CLI tests
 
 .PHONY: test-cli-policies
 test-cli-policies: $(CLI_BIN)
@@ -715,6 +715,11 @@ test-cli-test-case-selector-flag: $(CLI_BIN)
 test-cli-registry: $(CLI_BIN)
 	@$(CLI_BIN) test ./test/cli/registry --registry
 
+.PHONY: test-cli-scenarios-to-cli
+test-cli-scenarios-to-cli: $(CLI_BIN)
+	@$(CLI_BIN) test ./test/cli/scenarios_to_cli --registry
+
+
 #############
 # HELM TEST #
 #############

test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/kyverno-test.yaml

@@ -0,0 +1,12 @@
+name: policy-endpoints
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: policy-endpoints
+    rule: pEP
+    resource: test-endpoint
+    patchedresource: patchedresource.yaml
+    kind: Endpoints
+    result: pass

test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/patchedresource.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Endpoints
+metadata:
+  creationTimestamp: 
+  labels:
+    isMutated: 'true'
+    label: test
+  name: test-endpoint
+subsets:
+- addresses:
+  - ip: 192.168.10.171
+  ports:
+  - name: secure-connection
+    port: 9663
+    protocol: TCP

test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/policy.yaml

@@ -1,17 +1,18 @@
-apiVersion : kyverno.io/v1
+apiVersion: kyverno.io/v1
-kind : ClusterPolicy
+kind: ClusterPolicy
-metadata :
+metadata:
-  name : policy-endpoints
+  name: policy-endpoints
-spec :
+spec:
   rules:
     - name: pEP
       match:
-        resources:
+        all:
-          kinds : 
+        - resources:
-          - Endpoints
+            kinds:
+            - Endpoints
           selector:
             matchLabels:
-              label : test
+              label: test
       mutate:
         patchesJson6902: |-
           [

test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/kyverno-test.yaml

@@ -0,0 +1,12 @@
+name: mutate-pods-spec
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: mutate-pods-spec
+    rule: disable-servicelink-and-token
+    resource: nginx-deployment
+    patchedresource: patchedresource.yaml
+    kind: Deployment
+    result: pass

test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/patchedresource.yaml

@@ -2,9 +2,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   creationTimestamp: "2020-09-21T12:56:35Z"
-  name: qos-demo
+  name: nginx-deployment
   labels:
-    test: qos
+    app: nginx
+  namespace: test-foo-aaaaaaaaa-bbbbbbbb
 spec:
   replicas: 1
   selector:
@@ -16,9 +17,10 @@ spec:
       labels:
         app: nginx
     spec:
+      enableServiceLinks: false
+      automountServiceAccountToken: false
       containers:
-      - name: nginx
+        - name: nginx
-        image: nginx:latest
+          image: nginx:1.14.2
-        resources:
+          ports:
-          limits:
+            - containerPort: 80
-            cpu: "50m"

test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/policy.yaml

@@ -6,14 +6,15 @@ spec:
   rules:
     - name: "disable-servicelink-and-token"
       match:
-        resources:
+        all:
-          kinds:
+        - resources:
-            - DaemonSet
+              kinds:
-            - Deployment
+                - DaemonSet
-            - Job
+                - Deployment
-            - StatefulSet
+                - Job
-          namespaces:
+                - StatefulSet
-            - test-foo-*
+              namespaces:
+                - test-foo-*
       mutate:
         patchStrategicMerge:
           spec:

test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/kyverno-test.yaml

@@ -0,0 +1,11 @@
+name: validate-default-proc-mount
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: validate-default-proc-mount
+    rule: validate-default-proc-mount
+    resource: nginx-proc-mount
+    kind: Pod
+    result: pass

test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/policy.yaml

@@ -7,9 +7,10 @@ spec:
   rules:
   - name: validate-default-proc-mount
     match:
-      resources:
+      all:
-        kinds:
+          - resources:
-        - Pod
+              kinds:
+                - Pod
     validate:
       message: "Default proc mount should set to Unmasked"
       pattern:

test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml

@@ -0,0 +1,11 @@
+name: validate-disallow-default-serviceaccount
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: validate-disallow-default-serviceaccount
+    rule: prevent-mounting-default-serviceaccount
+    resource: pod-with-default-sa
+    kind: Pod
+    result: fail

test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/policy.yaml

@@ -6,13 +6,15 @@ spec:
   rules:
   - name: prevent-mounting-default-serviceaccount
     exclude:
-      resources:
+      all:
-        namespaces: 
+          - resources:
-        - kube-system
+              namespaces:
+                - kube-system
     match:
-      resources:
+      all:
-        kinds:
+        - resources:
-        - Pod
+            kinds:
+              - Pod
     validate:
       message: "Prevent mounting of default service account"
       pattern:

test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/resource.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: myapp-pod
+  name: pod-with-default-sa
   labels:
-    app: myapp
+    app: pod-with-default-sa
 spec: 
   serviceAccountName: default
-  automountServiceAccountToken: false
   containers:
   - name: nginx
     image: nginx

test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/kyverno-test.yaml

@@ -0,0 +1,16 @@
+name: check-probe-exists
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: check-probe-exists
+    rule: check-readinessProbe-exists
+    resource: probe
+    kind: Pod
+    result: pass
+  - policy: check-probe-exists
+    rule: check-livenessProbe-exists
+    resource: probe
+    kind: Pod
+    result: pass

test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/policy.yaml

@@ -1,14 +1,15 @@
-apiVersion : kyverno.io/v1
+apiVersion: kyverno.io/v1
-kind : ClusterPolicy
+kind: ClusterPolicy
-metadata :
+metadata:
   name: check-probe-exists
 spec:
   rules:
   - name: check-readinessProbe-exists
     match:
-      resources:
+      all:
-        kinds :
+        - resources:
-        - Pod
+              kinds:
+                - Pod
     validate:
       message: "readinessProbe is required"
       pattern:
@@ -18,10 +19,11 @@ spec:
             readinessProbe:
               successThreshold: ">1"
   - name: check-livenessProbe-exists
-    match:    
+    match: 
-      resources:
+      all:   
-        kinds :
+        - resources:
-        - Pod
+              kinds:
+                - Pod
     validate:
       message: "livenessProbe is required"
       pattern:
@@ -32,4 +34,4 @@ spec:
               httpGet:
                 path: "?*"
                 port: "*"
-                scheme: "?*"
+                scheme: "?*"

test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/kyverno-test.yaml

@@ -0,0 +1,11 @@
+name: validate-selinux-options
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: validate-selinux-options
+    rule: validate-selinux-options
+    resource: busybox-selinux
+    kind: Pod
+    result: fail

test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/policy.yaml

@@ -7,9 +7,10 @@ spec:
   rules:
   - name: validate-selinux-options
     match:
-      resources:
+       any:
-        kinds:
+          - resources:
-        - Pod
+              kinds:
+                - Pod
     validate:
       message: "SELinux level is required"
       pattern:
@@ -17,7 +18,7 @@ spec:
           containers:
           - securityContext:
               seLinuxOptions:
-                level: "*"
+                level: "?*"
 #                level: "s0:c25,c968"
 # If SELinux security module is loaded on the host operating system,
 # we can make sure pods only have access to specified configured level

test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/kyverno-test.yaml

@@ -0,0 +1,11 @@
+name: validate-volumes-whitelist
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+- policy: validate-volumes-whitelist
+  rule: validate-volumes-whitelist
+  resource: test-volumes
+  kind: Pod
+  result: pass

test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion : kyverno.io/v1
+apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: validate-volumes-whitelist
@@ -7,11 +7,12 @@ spec:
   rules:
   - name: validate-volumes-whitelist
     match:
-      resources:
+      any:
-        kinds:
+        - resources:
-        - Pod
+              kinds:
+                - Pod
     validate:
-      message: "Volumes white list"
+      message: "Volume type is not of type hostPath, emptyDir, or configMap."
       anyPattern:
       - spec:
           volumes:
@@ -22,7 +23,3 @@ spec:
       - spec:
           volumes:
           - configMap: "*"
-
-
-
-

test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml

@@ -0,0 +1,11 @@
+name: restrict-ingress-classes
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: restrict-ingress-classes
+    rule: validate-ingress
+    resource: test-ingress
+    kind: Ingress
+    result: pass

test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/policy.yaml

@@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-ingress-classes
+  annotations:
+    policies.kyverno.io/category: Workload Management
+    policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of 
+      known ingress classes that are allowed in the cluster. You can customize this policy to 
+      allow ingress classes that are configured in the cluster.
+spec:
+  rules:
+  - name: validate-ingress
+    match:
+       any:
+          - resources:
+              kinds:
+                - Ingress
+    validate:
+      message: "Unknown ingress class"
+      pattern:
+        metadata:
+          annotations:
+            kubernetes.io/ingress.class: "F5 | nginx"

test/policy/mutate/policy_mutate_validate_qos.yaml

@@ -1,50 +0,0 @@
-apiVersion : kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: policy-qos
-spec:
-#  validationFailureAction: "audit"
-  rules:
-    - name: add-memory-limit
-      match:
-        resources:
-          kinds:
-          - Deployment
-          selector :
-            matchLabels:
-              test: qos
-      mutate:
-        patchStrategicMerge:
-          spec:
-            template:
-              spec:
-                containers:
-                  # the wildcard * will match all containers in the list
-                  - (name): "*"
-                    resources:
-                      limits:
-                        # add memory limit if it is not exist
-                        "+(memory)": "300Mi"  
-                        "+(cpu)": "100"
-    - name: check-cpu-memory-limits
-      match:
-        resources:
-          kinds:
-          - Deployment
-          selector :
-            matchLabels:
-              test: qos
-      validate:
-        message: "Resource limits are required for CPU and memory"
-        pattern:
-          spec:
-            template:
-              spec:
-                containers:
-                # match all containers
-                - (name): "*"
-                  resources:
-                    limits:
-                      # cpu and memory are required
-                      memory: "?*"
-                      cpu: "?*"

test/resources/disallow_host_filesystem.yaml

@@ -1,18 +0,0 @@
-apiVersion: "v1"
-kind: "Pod"
-metadata: 
-  name: "image-with-hostpath"
-  labels: 
-    app.type: "prod"
-    namespace: "my-namespace"
-spec: 
-  containers: 
-  - name: "image-with-hostpath"
-    image: "docker.io/nautiker/curl"
-    volumeMounts: 
-    - name: "var-lib-etcd"
-      mountPath: "/var/lib"
-  volumes: 
-  - name: "var-lib-etcd"
-    hostPath: 
-      path: "/var/lib"

test/resources/disallow_host_filesystem_pass.yaml

@@ -1,17 +0,0 @@
-apiVersion: "v1"
-kind: "Pod"
-metadata: 
-  name: "image-with-hostpath"
-  labels: 
-    app.type: "prod"
-    namespace: "my-namespace"
-spec: 
-  containers: 
-  - name: "image-with-hostpath"
-    image: "docker.io/nautiker/curl"
-    volumeMounts: 
-    - name: "var-lib-etcd"
-      mountPath: "/var/lib"
-  volumes: 
-  - name: "var-lib-etcd"
-    emptyDir: {}

test/resources/disallow_host_network_hostport.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: nginx-host-network
-spec:
-  hostNetwork: false
-  containers:
-  - name: nginx-host-network
-    image: nginx
-    ports:
-    - containerPort: 80
-      hostPort: 80

test/resources/disallow_hostpid_hostipc.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: nginx-with-hostpid
-spec:
-  hostPID: false
-  hostIPC: true
-  containers:
-  - name: nginx
-    image: nginx

test/resources/disallow_privileged.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: check-privileged-cfg
-spec:
-  containers:
-  - name: check-privileged-cfg
-    image: nginxinc/nginx-unprivileged
-    securityContext:
-      allowPrivilegeEscalation: true
-      privileged: true

test/resources/ingress-haproxy.yaml

@@ -1,14 +0,0 @@
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
-  name: test-ingress
-  annotations:
-    kubernetes.io/ingress.class: haproxy
-spec:
-  rules:
-  - http:
-      paths:
-      - path: /testpath
-        backend:
-          serviceName: test
-          servicePort: 80

test/resources/pod-with-default-volume.yaml

@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: pod-with-default-volume
-  creationTimestamp: "2020-09-21T12:56:35Z"
-spec:
-  containers:
-  - image: registry.k8s.io/test-webserver
-    name: test-container
-    volumeMounts:
-    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-      name: default-token-wkknl
-      readOnly: true
-  volumes:
-  - name: default-token-wkknl
-    secret:
-      defaultMode: 420
-      secretName: default-token-wkknl

test/resources/pod-with-emptydir.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: pod-with-emptydir
-spec:
-  containers:
-  - image: registry.k8s.io/test-webserver
-    name: test-container
-    volumeMounts:
-    - mountPath: /cache
-      name: cache-volume
-  volumes:
-  - name: cache-volume
-    emptyDir: {}

test/resources/pod-with-hostpath.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: pod-with-hostpath
-  annotations:
-spec:
-  containers:
-  - image: registry.k8s.io/test-webserver
-    name: test-container
-    volumeMounts:
-    - mountPath: /tmp/foo
-      name: host-volume
-  volumes:
-  - name: host-volume
-    hostPath:
-      path: "/tmp/foo"

test/resources/require_default_network_policy.yaml

@@ -1,4 +0,0 @@
-kind: Namespace
-apiVersion: v1
-metadata: 
-    name: "devtest"

test/resources/require_namespace_quota.yaml

@@ -1,4 +0,0 @@
-kind: Namespace
-apiVersion: v1
-metadata: 
-    name: "test-namespace-quota"

test/resources/resource_validate_sysctl_configs.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: nginx
-  labels:
-    name: nginx
-spec:
-  containers:
-  - name: nginx
-    image: nginx
-    ports:
-    - containerPort: 80
-  securityContext:
-    sysctls:
-    - name: net.ipv4.ip_local_port_range
-      value: "50 65535"

test/scenarios/other/scenario_mutate_endpoint.yaml

@@ -1,21 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/policy/mutate/policy_mutate_endpoint.yaml
-  resource: test/resources/resource_mutate_endpoint.yaml
-expected:
-  mutation:
-    patchedresource: test/output/output_mutate_endpoint.yaml
-    policyresponse:
-      policy:
-        namespace: ''
-        name: policy-endpoints
-      resource:
-        kind: Endpoints
-        apiVersion: v1
-        namespace: ''
-        name: test-endpoint
-      rules:
-        - name: pEP
-          type: Mutation
-          status: pass
-          message: mutated Endpoints/test-endpoint

test/scenarios/other/scenario_mutate_pod_spec.yaml

@@ -1,20 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/policy/mutate/policy_mutate_pod_spec.yaml
-  resource: test/resources/resource_mutate_pod_spec.yaml
-expected:
-  mutation:
-    patchedresource: test/output/output_mutate_pod_spec.yaml
-    policyresponse:
-      policy:
-        name: mutate-pods-spec
-      resource:
-        kind: Deployment
-        apiVersion: apps/v1
-        namespace: test-foo-aaaaaaaaa-bbbbbbbb
-        name: nginx-deployment
-      rules:
-        - name: disable-servicelink-and-token
-          type: Mutation
-          status: pass
-          message: mutated Deployment/nginx-deployment in namespace test-foo-aaaaaaaaa-bbbbbbbb

test/scenarios/other/scenario_mutate_validate_qos.yaml

@@ -1,36 +0,0 @@
-# file path is relative to project root
-input:
-  policy: test/policy/mutate/policy_mutate_validate_qos.yaml
-  resource: test/resources/resource_mutate_validate_qos.yaml
-expected:
-  mutation:
-    patchedresource: test/output/output_mutate_validate_qos.yaml
-    policyresponse:
-      policy:
-        namespace: ''
-        name: policy-qos
-      resource:
-        kind: Deployment
-        apiVersion: apps/v1
-        namespace: ''
-        name: qos-demo
-      rules:
-        - name: add-memory-limit
-          type: Mutation
-          status: pass
-          message: mutated Deployment/qos-demo
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: policy-qos
-      resource:
-        kind: Deployment
-        apiVersion: apps/v1
-        namespace: ''
-        name: qos-demo
-      rules:
-        - name: check-cpu-memory-limits
-          type: Validation
-          message: validation rule 'check-cpu-memory-limits' passed.
-          status: pass

test/scenarios/other/scenario_validate_default_proc_mount.yaml

@@ -1,21 +0,0 @@
-
-# file path relative to project root
-input:
-  policy: test/policy/validate/policy_validate_default_proc_mount.yaml
-  resource: test/resources/resource_validate_default_proc_mount.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: validate-default-proc-mount
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: nginx-proc-mount
-      rules:
-        - name: validate-default-proc-mount
-          type: Validation
-          message: "validation rule 'validate-default-proc-mount' passed."
-          status: pass

test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml

@@ -1,20 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml
-  resource: test/resources/resource_validate_disallow_default_serviceaccount.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: validate-disallow-default-serviceaccount
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: pod-with-default-sa
-      rules:
-        - name: prevent-mounting-default-serviceaccount
-          type: Validation
-          message: "validation error: Prevent mounting of default service account. rule prevent-mounting-default-serviceaccount failed at path /spec/serviceAccountName/"
-          status: fail

test/scenarios/other/scenario_validate_healthChecks.yaml

@@ -1,24 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/policy/validate/policy_validate_healthChecks.yaml
-  resource: test/resources/resource_validate_healthChecks.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: check-probe-exists
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: probe
-      rules:
-        - name: check-readinessProbe-exists
-          type: Validation
-          message: validation rule 'check-readinessProbe-exists' passed.
-          status: pass
-        - name: check-livenessProbe-exists
-          type: Validation
-          message: validation rule 'check-livenessProbe-exists' passed.
-          status: pass

test/scenarios/other/scenario_validate_selinux_context.yaml

@@ -1,20 +0,0 @@
-
-# file path relative to project root
-input:
-  policy: test/policy/validate/policy_validate_selinux_context.yaml
-  resource: test/resources/resource_validate_selinux_context.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        name: validate-selinux-options
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: default
-        name: busybox-selinux
-      rules:
-        - name: validate-selinux-options
-          type: Validation
-          message: "validation error: SELinux level is required. rule validate-selinux-options failed at path /spec/containers/0/securityContext/seLinuxOptions/"
-          status: fail

test/scenarios/other/scenario_validate_volume_whiltelist.yaml

@@ -1,21 +0,0 @@
-
-# file path relative to project root
-input:
-  policy: test/policy/validate/policy_validate_volume_whitelist.yaml
-  resource: test/resources/resource_validate_volume_whitelist.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: validate-volumes-whitelist
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: test-volumes
-      rules:
-        - name: validate-volumes-whitelist
-          type: Validation
-          message: "validation rule 'validate-volumes-whitelist' anyPattern[2] passed."
-          status: pass

test/scenarios/samples/best_practices/add_networkPolicy.yaml

@@ -1,24 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/best_practices/add_network_policy.yaml
-  resource: test/resources/require_default_network_policy.yaml
-expected:
-  generation:
-    generatedResources:
-      - name: default-deny-ingress
-        kind: NetworkPolicy
-        namespace: devtest
-    policyresponse:
-      policy:
-        namespace: ''
-        name: add-networkpolicy
-      resource:
-        kind: Namespace
-        apiVersion: v1
-        namespace: ''
-        name: devtest
-      rules:
-        - name: default-deny-ingress
-          type: Generation
-          status: pass
-          message: created resource NetworkPolicy/devtest/default-deny-ingress

test/scenarios/samples/best_practices/add_ns_quota.yaml

@@ -1,26 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/best_practices/add_ns_quota.yaml
-  resource: test/resources/require_namespace_quota.yaml
-expected:
-  generation:
-    generatedResources:
-      - name: default-resourcequota
-        kind: ResourceQuota
-        namespace: test-namespace-quota
-    policyresponse:
-      policy:
-        namespace: ''
-        name: add-ns-quota
-      resource:
-        kind: Namespace
-        apiVersion: v1
-        namespace: ''
-        name: test-namespace-quota
-      rules:
-        - name: generate-resourcequota
-          type: Generation
-          status: pass
-        - name: generate-limitrange
-          type: Generation
-          status: pass

test/scenarios/samples/best_practices/add_safe_to_evict.yaml

@@ -1,25 +0,0 @@
-# file path is relative to project root
-input:
-  policy: test/best_practices/add_safe_to_evict.yaml
-  resource: test/resources/pod-with-emptydir.yaml
-expected:
-  mutation:
-    patchedresource: test/output/pod-with-emptydir.yaml
-    policyresponse:
-      policy:
-        namespace: ''
-        name: add-safe-to-evict
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: pod-with-emptydir
-      rules:
-      - name: annotate-empty-dir
-        type: Mutation
-        status: pass
-        message: "mutated Pod/pod-with-emptydir"
-      - name: annotate-host-path
-        type: Mutation
-        status: skip
-        message: "no patches applied"

test/scenarios/samples/best_practices/add_safe_to_evict2.yaml

@@ -1,25 +0,0 @@
-# file path is relative to project root
-input:
-  policy: test/best_practices/add_safe_to_evict.yaml
-  resource: test/resources/pod-with-hostpath.yaml
-expected:
-  mutation:
-    patchedresource: test/output/pod-with-hostpath.yaml
-    policyresponse:
-      policy:
-        namespace: ''
-        name: add-safe-to-evict
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: pod-with-hostpath
-      rules:
-        - name: annotate-empty-dir
-          type: Mutation
-          status: skip
-          message: "no patches applied"
-        - name: annotate-host-path
-          type: Mutation
-          status: pass
-          message: "mutated Pod/pod-with-hostpath"

test/scenarios/samples/best_practices/add_safe_to_evict3.yaml

@@ -1,27 +0,0 @@
-# file path is relative to project root
-input:
-  policy: test/best_practices/add_safe_to_evict.yaml
-  resource: test/resources/pod-with-default-volume.yaml
-expected:
-  mutation:
-    patchedresource: test/output/pod-with-default-volume.yaml
-    policyresponse:
-      policy:
-        namespace: ''
-        name: add-safe-to-evict
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: pod-with-default-volume
-      rules:
-        - name: annotate-empty-dir
-          type: Mutation
-          status: skip
-          message: "no patches applied"
-        - name: annotate-host-path
-          type: Mutation
-          status: skip
-          message: "no patches applied"
-
-        

test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml

@@ -1,20 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/best_practices/disallow_bind_mounts.yaml
-  resource: test/resources/disallow_host_filesystem.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: disallow-bind-mounts
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: image-with-hostpath
-      rules:
-        - name: validate-hostPath
-          message: "validation error: Host path volumes are not allowed. rule validate-hostPath failed at path /spec/volumes/0/hostPath/"
-          type: Validation
-          status: fail

test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml

@@ -1,19 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/best_practices/disallow_bind_mounts.yaml
-  resource: test/resources/disallow_host_filesystem_pass.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: disallow-bind-mounts
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: image-with-hostpath
-      rules:
-        - name: validate-hostPath
-          type: Validation
-          status: pass

test/scenarios/samples/best_practices/disallow_host_network_port.yaml

@@ -1,22 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/best_practices/disallow_host_network_port.yaml
-  resource: test/resources/disallow_host_network_hostport.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: disallow-host-network-port
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: "nginx-host-network"
-      rules:
-        - name: validate-host-network
-          type: Validation
-          status: pass
-        - name: validate-host-port
-          type: Validation
-          status: fail

test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml

@@ -1,19 +0,0 @@
-# file path relative to project root
-input:  
-  policy: test/best_practices/disallow_host_pid_ipc.yaml
-  resource: test/resources/disallow_hostpid_hostipc.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: disallow-host-pid-ipc
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: "nginx-with-hostpid"
-      rules:
-        - name: validate-hostPID-hostIPC
-          type: Validation
-          status: fail

test/scenarios/samples/best_practices/disallow_priviledged.yaml

@@ -1,22 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/best_practices/disallow_privileged.yaml
-  resource: test/resources/disallow_privileged.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: disallow-privileged
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: check-privileged-cfg
-      rules:
-        - name: validate-privileged
-          type: Validation
-          status: fail
-        - name: validate-allowPrivilegeEscalation
-          type: Validation
-          status: fail

test/scenarios/samples/best_practices/disallow_sysctls.yaml

@@ -1,20 +0,0 @@
-
-# file path relative to project root
-input:
-  policy: test/best_practices/disallow_sysctls.yaml
-  resource: test/resources/resource_validate_sysctl_configs.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: disallow-sysctls
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: nginx
-      rules:
-        - name: validate-sysctls
-          type: Validation
-          status: fail

test/scenarios/samples/more/restrict_automount_sa_token.yaml

@@ -1,19 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/more/restrict_automount_sa_token.yaml
-  resource: test/resources/disallow_automountingapicred.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: restrict-automount-sa-token
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: myapp-pod
-      rules:
-        - name: validate-automountServiceAccountToken
-          type: Validation
-          status: pass

test/scenarios/samples/more/restrict_ingress_classes.yaml

@@ -1,19 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/more/restrict_ingress_classes.yaml
-  resource: test/resources/ingress-nginx.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: restrict-ingress-classes
-      resource:
-        kind: Ingress
-        apiVersion: v1
-        namespace: ''
-        name: test-ingress
-      rules:
-        - name: validate-ingress
-          type: Validation
-          status: pass

test/scenarios/samples/more/unknown_ingress_class.yaml

@@ -1,19 +0,0 @@
-# file path relative to project root
-input:
-  policy: test/more/restrict_ingress_classes.yaml
-  resource: test/resources/ingress-haproxy.yaml
-expected:
-  validation:
-    policyresponse:
-      policy:
-        namespace: ''
-        name: restrict-ingress-classes
-      resource:
-        kind: Ingress
-        apiVersion: v1
-        namespace: ''
-        name: test-ingress
-      rules:
-        - name: validate-ingress
-          type: Validation
-          status: fail