mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 20:20:22 +00:00
Code Activity

Migrated scenario based tests to CLI (#8055)

Browse source 
* migrated scenarios to cli and resolved conflicts

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Modified Makefile

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update Makefile

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Create patchedresource.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update kyverno-test.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Delete test/cli/scenarios_to_cli/other /scenario_mutate_validate_qos directory

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update kyverno-test.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Create patchedresource.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update policy.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update policy.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Dhananjay Kumar Sharma 2023-08-23 21:25:39 +05:30 committed by GitHub
parent 333845677a
commit 04bc4ed7c6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
62 changed files with 205 additions and 754 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
Makefile
View file

@ -688,7 +688,7 @@ test-kuttl: $(KUTTL) ## Run kuttl tests
TEST_GIT_BRANCH ?= main TEST_GIT_BRANCH ?= main
.PHONY: test-cli .PHONY: test-cli
test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry ## Run all CLI tests test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry test-cli-scenarios-to-cli ## Run all CLI tests
.PHONY: test-cli-policies .PHONY: test-cli-policies
test-cli-policies: $(CLI_BIN) test-cli-policies: $(CLI_BIN)
@ -715,6 +715,11 @@ test-cli-test-case-selector-flag: $(CLI_BIN)
test-cli-registry: $(CLI_BIN) test-cli-registry: $(CLI_BIN)
@$(CLI_BIN) test ./test/cli/registry --registry @$(CLI_BIN) test ./test/cli/registry --registry
.PHONY: test-cli-scenarios-to-cli
test-cli-scenarios-to-cli: $(CLI_BIN)
@$(CLI_BIN) test ./test/cli/scenarios_to_cli --registry
############# #############
# HELM TEST # # HELM TEST #
############# #############

12
test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/kyverno-test.yaml Normal file
View file

@ -0,0 +1,12 @@
name: policy-endpoints
policies:
- policy.yaml
resources:
- resource.yaml
results:
- policy: policy-endpoints
rule: pEP
resource: test-endpoint
patchedresource: patchedresource.yaml
kind: Endpoints
result: pass

15
test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/patchedresource.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Endpoints
metadata:
creationTimestamp:
labels:
isMutated: 'true'
label: test
name: test-endpoint
subsets:
- addresses:
- ip: 192.168.10.171
ports:
- name: secure-connection
port: 9663
protocol: TCP

19
test/policy/mutate/policy_mutate_endpoint.yaml → test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/policy.yaml
View file

@ -1,17 +1,18 @@
apiVersion : kyverno.io/v1 apiVersion: kyverno.io/v1
kind : ClusterPolicy kind: ClusterPolicy
metadata : metadata:
name : policy-endpoints name: policy-endpoints
spec : spec:
rules: rules:
- name: pEP - name: pEP
match: match:
resources: all:
kinds : - resources:
- Endpoints kinds:
- Endpoints
selector: selector:
matchLabels: matchLabels:
label : test label: test
mutate: mutate:
patchesJson6902: |- patchesJson6902: |-
[ [

0
test/resources/resource_mutate_endpoint.yaml → test/cli/scenarios_to_cli/other /scenario_mutate_endpoint/resource.yaml
View file

12
test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/kyverno-test.yaml Normal file
View file

@ -0,0 +1,12 @@
name: mutate-pods-spec
policies:
- policy.yaml
resources:
- resource.yaml
results:
- policy: mutate-pods-spec
rule: disable-servicelink-and-token
resource: nginx-deployment
patchedresource: patchedresource.yaml
kind: Deployment
result: pass

16
test/resources/resource_mutate_validate_qos.yaml → test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/patchedresource.yaml
View file

@ -2,9 +2,10 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
creationTimestamp: "2020-09-21T12:56:35Z" creationTimestamp: "2020-09-21T12:56:35Z"
name: qos-demo name: nginx-deployment
labels: labels:
test: qos app: nginx
namespace: test-foo-aaaaaaaaa-bbbbbbbb
spec: spec:
replicas: 1 replicas: 1
selector: selector:
@ -16,9 +17,10 @@ spec:
labels: labels:
app: nginx app: nginx
spec: spec:
enableServiceLinks: false
automountServiceAccountToken: false
containers: containers:
- name: nginx - name: nginx
image: nginx:latest image: nginx:1.14.2
resources: ports:
limits: - containerPort: 80
cpu: "50m"

17
test/policy/mutate/policy_mutate_pod_spec.yaml → test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/policy.yaml
View file

@ -6,14 +6,15 @@ spec:
rules: rules:
- name: "disable-servicelink-and-token" - name: "disable-servicelink-and-token"
match: match:
resources: all:
kinds: - resources:
- DaemonSet kinds:
- Deployment - DaemonSet
- Job - Deployment
- StatefulSet - Job
namespaces: - StatefulSet
- test-foo-* namespaces:
- test-foo-*
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
spec: spec:

0
test/resources/resource_mutate_pod_spec.yaml → test/cli/scenarios_to_cli/other /scenario_mutate_pod_spec/resource.yaml
View file

11
test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/kyverno-test.yaml Normal file
View file

@ -0,0 +1,11 @@
name: validate-default-proc-mount
policies:
- policy.yaml
resources:
- resource.yaml
results:
- policy: validate-default-proc-mount
rule: validate-default-proc-mount
resource: nginx-proc-mount
kind: Pod
result: pass

7
test/policy/validate/policy_validate_default_proc_mount.yaml → test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/policy.yaml
View file

@ -7,9 +7,10 @@ spec:
rules: rules:
- name: validate-default-proc-mount - name: validate-default-proc-mount
match: match:
resources: all:
kinds: - resources:
- Pod kinds:
- Pod
validate: validate:
message: "Default proc mount should set to Unmasked" message: "Default proc mount should set to Unmasked"
pattern: pattern:

0
test/resources/resource_validate_default_proc_mount.yaml → test/cli/scenarios_to_cli/other /scenario_validate_default_proc_mount/resource.yaml
View file

11
test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml Normal file
View file

@ -0,0 +1,11 @@
name: validate-disallow-default-serviceaccount
policies:
- policy.yaml
resources:
- resource.yaml
results:
- policy: validate-disallow-default-serviceaccount
rule: prevent-mounting-default-serviceaccount
resource: pod-with-default-sa
kind: Pod
result: fail

14
test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml → test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/policy.yaml
View file

@ -6,13 +6,15 @@ spec:
rules: rules:
- name: prevent-mounting-default-serviceaccount - name: prevent-mounting-default-serviceaccount
exclude: exclude:
resources: all:
namespaces: - resources:
- kube-system namespaces:
- kube-system
match: match:
resources: all:
kinds: - resources:
- Pod kinds:
- Pod
validate: validate:
message: "Prevent mounting of default service account" message: "Prevent mounting of default service account"
pattern: pattern:

5
test/resources/disallow_automountingapicred.yaml → test/cli/scenarios_to_cli/other /scenario_validate_disallow_default_serviceaccount/resource.yaml
View file

@ -1,12 +1,11 @@
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: myapp-pod name: pod-with-default-sa
labels: labels:
app: myapp app: pod-with-default-sa
spec: spec:
serviceAccountName: default serviceAccountName: default
automountServiceAccountToken: false
containers: containers:
- name: nginx - name: nginx
image: nginx image: nginx

16
test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/kyverno-test.yaml Normal file
View file

@ -0,0 +1,16 @@
name: check-probe-exists
policies:
- policy.yaml
resources:
- resource.yaml
results:
- policy: check-probe-exists
rule: check-readinessProbe-exists
resource: probe
kind: Pod
result: pass
- policy: check-probe-exists
rule: check-livenessProbe-exists
resource: probe
kind: Pod
result: pass

24
test/policy/validate/policy_validate_healthChecks.yaml → test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/policy.yaml
View file

@ -1,14 +1,15 @@
apiVersion : kyverno.io/v1 apiVersion: kyverno.io/v1
kind : ClusterPolicy kind: ClusterPolicy
metadata : metadata:
name: check-probe-exists name: check-probe-exists
spec: spec:
rules: rules:
- name: check-readinessProbe-exists - name: check-readinessProbe-exists
match: match:
resources: all:
kinds : - resources:
- Pod kinds:
- Pod
validate: validate:
message: "readinessProbe is required" message: "readinessProbe is required"
pattern: pattern:
@ -18,10 +19,11 @@ spec:
readinessProbe: readinessProbe:
successThreshold: ">1" successThreshold: ">1"
- name: check-livenessProbe-exists - name: check-livenessProbe-exists
match: match:
resources: all:
kinds : - resources:
- Pod kinds:
- Pod
validate: validate:
message: "livenessProbe is required" message: "livenessProbe is required"
pattern: pattern:
@ -32,4 +34,4 @@ spec:
httpGet: httpGet:
path: "?*" path: "?*"
port: "*" port: "*"
scheme: "?*" scheme: "?*"

0
test/resources/resource_validate_healthChecks.yaml → test/cli/scenarios_to_cli/other /scenario_validate_healthChecks/resource.yaml
View file

11
test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/kyverno-test.yaml Normal file
View file

@ -0,0 +1,11 @@
name: validate-selinux-options
policies:
- policy.yaml
resources:
- resource.yaml
results:
- policy: validate-selinux-options
rule: validate-selinux-options
resource: busybox-selinux
kind: Pod
result: fail

9
test/policy/validate/policy_validate_selinux_context.yaml → test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/policy.yaml
View file

@ -7,9 +7,10 @@ spec:
rules: rules:
- name: validate-selinux-options - name: validate-selinux-options
match: match:
resources: any:
kinds: - resources:
- Pod kinds:
- Pod
validate: validate:
message: "SELinux level is required" message: "SELinux level is required"
pattern: pattern:
@ -17,7 +18,7 @@ spec:
containers: containers:
- securityContext: - securityContext:
seLinuxOptions: seLinuxOptions:
level: "*" level: "?*"
# level: "s0:c25,c968" # level: "s0:c25,c968"
# If SELinux security module is loaded on the host operating system, # If SELinux security module is loaded on the host operating system,
# we can make sure pods only have access to specified configured level # we can make sure pods only have access to specified configured level

0
test/resources/resource_validate_selinux_context.yaml → test/cli/scenarios_to_cli/other /scenario_validate_selinux_context/resource.yaml
View file

11
test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/kyverno-test.yaml Normal file
View file

@ -0,0 +1,11 @@
name: validate-volumes-whitelist
policies:
- policy.yaml
resources:
- resource.yaml
results:
- policy: validate-volumes-whitelist
rule: validate-volumes-whitelist
resource: test-volumes
kind: Pod
result: pass

15
test/policy/validate/policy_validate_volume_whitelist.yaml → test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion : kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-volumes-whitelist name: validate-volumes-whitelist
@ -7,11 +7,12 @@ spec:
rules: rules:
- name: validate-volumes-whitelist - name: validate-volumes-whitelist
match: match:
resources: any:
kinds: - resources:
- Pod kinds:
- Pod
validate: validate:
message: "Volumes white list" message: "Volume type is not of type hostPath, emptyDir, or configMap."
anyPattern: anyPattern:
- spec: - spec:
volumes: volumes:
@ -22,7 +23,3 @@ spec:
- spec: - spec:
volumes: volumes:
- configMap: "*" - configMap: "*"

0
test/resources/resource_validate_volume_whitelist.yaml → test/cli/scenarios_to_cli/other /scenario_validate_volume_whitelist/resource.yaml
View file

11
test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml Normal file
View file

@ -0,0 +1,11 @@
name: restrict-ingress-classes
policies:
- policy.yaml
resources:
- resource.yaml
results:
- policy: restrict-ingress-classes
rule: validate-ingress
resource: test-ingress
kind: Ingress
result: pass

23
test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/policy.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-ingress-classes
annotations:
policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of
known ingress classes that are allowed in the cluster. You can customize this policy to
allow ingress classes that are configured in the cluster.
spec:
rules:
- name: validate-ingress
match:
any:
- resources:
kinds:
- Ingress
validate:
message: "Unknown ingress class"
pattern:
metadata:
annotations:
kubernetes.io/ingress.class: "F5 | nginx"

0
test/resources/ingress-nginx.yaml → test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/resource.yaml
View file

50
test/policy/mutate/policy_mutate_validate_qos.yaml
View file

@ -1,50 +0,0 @@
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
name: policy-qos
spec:
# validationFailureAction: "audit"
rules:
- name: add-memory-limit
match:
resources:
kinds:
- Deployment
selector :
matchLabels:
test: qos
mutate:
patchStrategicMerge:
spec:
template:
spec:
containers:
# the wildcard * will match all containers in the list
- (name): "*"
resources:
limits:
# add memory limit if it is not exist
"+(memory)": "300Mi"
"+(cpu)": "100"
- name: check-cpu-memory-limits
match:
resources:
kinds:
- Deployment
selector :
matchLabels:
test: qos
validate:
message: "Resource limits are required for CPU and memory"
pattern:
spec:
template:
spec:
containers:
# match all containers
- (name): "*"
resources:
limits:
# cpu and memory are required
memory: "?*"
cpu: "?*"

18
test/resources/disallow_host_filesystem.yaml
View file

@ -1,18 +0,0 @@
apiVersion: "v1"
kind: "Pod"
metadata:
name: "image-with-hostpath"
labels:
app.type: "prod"
namespace: "my-namespace"
spec:
containers:
- name: "image-with-hostpath"
image: "docker.io/nautiker/curl"
volumeMounts:
- name: "var-lib-etcd"
mountPath: "/var/lib"
volumes:
- name: "var-lib-etcd"
hostPath:
path: "/var/lib"

17
test/resources/disallow_host_filesystem_pass.yaml
View file

@ -1,17 +0,0 @@
apiVersion: "v1"
kind: "Pod"
metadata:
name: "image-with-hostpath"
labels:
app.type: "prod"
namespace: "my-namespace"
spec:
containers:
- name: "image-with-hostpath"
image: "docker.io/nautiker/curl"
volumeMounts:
- name: "var-lib-etcd"
mountPath: "/var/lib"
volumes:
- name: "var-lib-etcd"
emptyDir: {}

12
test/resources/disallow_host_network_hostport.yaml
View file

@ -1,12 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-network
spec:
hostNetwork: false
containers:
- name: nginx-host-network
image: nginx
ports:
- containerPort: 80
hostPort: 80

10
test/resources/disallow_hostpid_hostipc.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-with-hostpid
spec:
hostPID: false
hostIPC: true
containers:
- name: nginx
image: nginx

11
test/resources/disallow_privileged.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: check-privileged-cfg
spec:
containers:
- name: check-privileged-cfg
image: nginxinc/nginx-unprivileged
securityContext:
allowPrivilegeEscalation: true
privileged: true

14
test/resources/ingress-haproxy.yaml
View file

@ -1,14 +0,0 @@
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
kubernetes.io/ingress.class: haproxy
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test
servicePort: 80

18
test/resources/pod-with-default-volume.yaml
View file

@ -1,18 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-default-volume
creationTimestamp: "2020-09-21T12:56:35Z"
spec:
containers:
- image: registry.k8s.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-wkknl
readOnly: true
volumes:
- name: default-token-wkknl
secret:
defaultMode: 420
secretName: default-token-wkknl

14
test/resources/pod-with-emptydir.yaml
View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-emptydir
spec:
containers:
- image: registry.k8s.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}

16
test/resources/pod-with-hostpath.yaml
View file

@ -1,16 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-hostpath
annotations:
spec:
containers:
- image: registry.k8s.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /tmp/foo
name: host-volume
volumes:
- name: host-volume
hostPath:
path: "/tmp/foo"

4
test/resources/require_default_network_policy.yaml
View file

@ -1,4 +0,0 @@
kind: Namespace
apiVersion: v1
metadata:
name: "devtest"

4
test/resources/require_namespace_quota.yaml
View file

@ -1,4 +0,0 @@
kind: Namespace
apiVersion: v1
metadata:
name: "test-namespace-quota"

16
test/resources/resource_validate_sysctl_configs.yaml
View file

@ -1,16 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
securityContext:
sysctls:
- name: net.ipv4.ip_local_port_range
value: "50 65535"

21
test/scenarios/other/scenario_mutate_endpoint.yaml
View file

@ -1,21 +0,0 @@
# file path relative to project root
input:
policy: test/policy/mutate/policy_mutate_endpoint.yaml
resource: test/resources/resource_mutate_endpoint.yaml
expected:
mutation:
patchedresource: test/output/output_mutate_endpoint.yaml
policyresponse:
policy:
namespace: ''
name: policy-endpoints
resource:
kind: Endpoints
apiVersion: v1
namespace: ''
name: test-endpoint
rules:
- name: pEP
type: Mutation
status: pass
message: mutated Endpoints/test-endpoint

20
test/scenarios/other/scenario_mutate_pod_spec.yaml
View file

@ -1,20 +0,0 @@
# file path relative to project root
input:
policy: test/policy/mutate/policy_mutate_pod_spec.yaml
resource: test/resources/resource_mutate_pod_spec.yaml
expected:
mutation:
patchedresource: test/output/output_mutate_pod_spec.yaml
policyresponse:
policy:
name: mutate-pods-spec
resource:
kind: Deployment
apiVersion: apps/v1
namespace: test-foo-aaaaaaaaa-bbbbbbbb
name: nginx-deployment
rules:
- name: disable-servicelink-and-token
type: Mutation
status: pass
message: mutated Deployment/nginx-deployment in namespace test-foo-aaaaaaaaa-bbbbbbbb

36
test/scenarios/other/scenario_mutate_validate_qos.yaml
View file

@ -1,36 +0,0 @@
# file path is relative to project root
input:
policy: test/policy/mutate/policy_mutate_validate_qos.yaml
resource: test/resources/resource_mutate_validate_qos.yaml
expected:
mutation:
patchedresource: test/output/output_mutate_validate_qos.yaml
policyresponse:
policy:
namespace: ''
name: policy-qos
resource:
kind: Deployment
apiVersion: apps/v1
namespace: ''
name: qos-demo
rules:
- name: add-memory-limit
type: Mutation
status: pass
message: mutated Deployment/qos-demo
validation:
policyresponse:
policy:
namespace: ''
name: policy-qos
resource:
kind: Deployment
apiVersion: apps/v1
namespace: ''
name: qos-demo
rules:
- name: check-cpu-memory-limits
type: Validation
message: validation rule 'check-cpu-memory-limits' passed.
status: pass

21
test/scenarios/other/scenario_validate_default_proc_mount.yaml
View file

@ -1,21 +0,0 @@
# file path relative to project root
input:
policy: test/policy/validate/policy_validate_default_proc_mount.yaml
resource: test/resources/resource_validate_default_proc_mount.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: validate-default-proc-mount
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: nginx-proc-mount
rules:
- name: validate-default-proc-mount
type: Validation
message: "validation rule 'validate-default-proc-mount' passed."
status: pass

20
test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml
View file

@ -1,20 +0,0 @@
# file path relative to project root
input:
policy: test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml
resource: test/resources/resource_validate_disallow_default_serviceaccount.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: validate-disallow-default-serviceaccount
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: pod-with-default-sa
rules:
- name: prevent-mounting-default-serviceaccount
type: Validation
message: "validation error: Prevent mounting of default service account. rule prevent-mounting-default-serviceaccount failed at path /spec/serviceAccountName/"
status: fail

24
test/scenarios/other/scenario_validate_healthChecks.yaml
View file

@ -1,24 +0,0 @@
# file path relative to project root
input:
policy: test/policy/validate/policy_validate_healthChecks.yaml
resource: test/resources/resource_validate_healthChecks.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: check-probe-exists
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: probe
rules:
- name: check-readinessProbe-exists
type: Validation
message: validation rule 'check-readinessProbe-exists' passed.
status: pass
- name: check-livenessProbe-exists
type: Validation
message: validation rule 'check-livenessProbe-exists' passed.
status: pass

20
test/scenarios/other/scenario_validate_selinux_context.yaml
View file

@ -1,20 +0,0 @@
# file path relative to project root
input:
policy: test/policy/validate/policy_validate_selinux_context.yaml
resource: test/resources/resource_validate_selinux_context.yaml
expected:
validation:
policyresponse:
policy:
name: validate-selinux-options
resource:
kind: Pod
apiVersion: v1
namespace: default
name: busybox-selinux
rules:
- name: validate-selinux-options
type: Validation
message: "validation error: SELinux level is required. rule validate-selinux-options failed at path /spec/containers/0/securityContext/seLinuxOptions/"
status: fail

21
test/scenarios/other/scenario_validate_volume_whiltelist.yaml
View file

@ -1,21 +0,0 @@
# file path relative to project root
input:
policy: test/policy/validate/policy_validate_volume_whitelist.yaml
resource: test/resources/resource_validate_volume_whitelist.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: validate-volumes-whitelist
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: test-volumes
rules:
- name: validate-volumes-whitelist
type: Validation
message: "validation rule 'validate-volumes-whitelist' anyPattern[2] passed."
status: pass

24
test/scenarios/samples/best_practices/add_networkPolicy.yaml
View file

@ -1,24 +0,0 @@
# file path relative to project root
input:
policy: test/best_practices/add_network_policy.yaml
resource: test/resources/require_default_network_policy.yaml
expected:
generation:
generatedResources:
- name: default-deny-ingress
kind: NetworkPolicy
namespace: devtest
policyresponse:
policy:
namespace: ''
name: add-networkpolicy
resource:
kind: Namespace
apiVersion: v1
namespace: ''
name: devtest
rules:
- name: default-deny-ingress
type: Generation
status: pass
message: created resource NetworkPolicy/devtest/default-deny-ingress

26
test/scenarios/samples/best_practices/add_ns_quota.yaml
View file

@ -1,26 +0,0 @@
# file path relative to project root
input:
policy: test/best_practices/add_ns_quota.yaml
resource: test/resources/require_namespace_quota.yaml
expected:
generation:
generatedResources:
- name: default-resourcequota
kind: ResourceQuota
namespace: test-namespace-quota
policyresponse:
policy:
namespace: ''
name: add-ns-quota
resource:
kind: Namespace
apiVersion: v1
namespace: ''
name: test-namespace-quota
rules:
- name: generate-resourcequota
type: Generation
status: pass
- name: generate-limitrange
type: Generation
status: pass

25
test/scenarios/samples/best_practices/add_safe_to_evict.yaml
View file

@ -1,25 +0,0 @@
# file path is relative to project root
input:
policy: test/best_practices/add_safe_to_evict.yaml
resource: test/resources/pod-with-emptydir.yaml
expected:
mutation:
patchedresource: test/output/pod-with-emptydir.yaml
policyresponse:
policy:
namespace: ''
name: add-safe-to-evict
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: pod-with-emptydir
rules:
- name: annotate-empty-dir
type: Mutation
status: pass
message: "mutated Pod/pod-with-emptydir"
- name: annotate-host-path
type: Mutation
status: skip
message: "no patches applied"

25
test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
View file

@ -1,25 +0,0 @@
# file path is relative to project root
input:
policy: test/best_practices/add_safe_to_evict.yaml
resource: test/resources/pod-with-hostpath.yaml
expected:
mutation:
patchedresource: test/output/pod-with-hostpath.yaml
policyresponse:
policy:
namespace: ''
name: add-safe-to-evict
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: pod-with-hostpath
rules:
- name: annotate-empty-dir
type: Mutation
status: skip
message: "no patches applied"
- name: annotate-host-path
type: Mutation
status: pass
message: "mutated Pod/pod-with-hostpath"

27
test/scenarios/samples/best_practices/add_safe_to_evict3.yaml
View file

@ -1,27 +0,0 @@
# file path is relative to project root
input:
policy: test/best_practices/add_safe_to_evict.yaml
resource: test/resources/pod-with-default-volume.yaml
expected:
mutation:
patchedresource: test/output/pod-with-default-volume.yaml
policyresponse:
policy:
namespace: ''
name: add-safe-to-evict
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: pod-with-default-volume
rules:
- name: annotate-empty-dir
type: Mutation
status: skip
message: "no patches applied"
- name: annotate-host-path
type: Mutation
status: skip
message: "no patches applied"

20
test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml
View file

@ -1,20 +0,0 @@
# file path relative to project root
input:
policy: test/best_practices/disallow_bind_mounts.yaml
resource: test/resources/disallow_host_filesystem.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: disallow-bind-mounts
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: image-with-hostpath
rules:
- name: validate-hostPath
message: "validation error: Host path volumes are not allowed. rule validate-hostPath failed at path /spec/volumes/0/hostPath/"
type: Validation
status: fail

19
test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml
View file

@ -1,19 +0,0 @@
# file path relative to project root
input:
policy: test/best_practices/disallow_bind_mounts.yaml
resource: test/resources/disallow_host_filesystem_pass.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: disallow-bind-mounts
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: image-with-hostpath
rules:
- name: validate-hostPath
type: Validation
status: pass

22
test/scenarios/samples/best_practices/disallow_host_network_port.yaml
View file

@ -1,22 +0,0 @@
# file path relative to project root
input:
policy: test/best_practices/disallow_host_network_port.yaml
resource: test/resources/disallow_host_network_hostport.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: disallow-host-network-port
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: "nginx-host-network"
rules:
- name: validate-host-network
type: Validation
status: pass
- name: validate-host-port
type: Validation
status: fail

19
test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml
View file

@ -1,19 +0,0 @@
# file path relative to project root
input:
policy: test/best_practices/disallow_host_pid_ipc.yaml
resource: test/resources/disallow_hostpid_hostipc.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: disallow-host-pid-ipc
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: "nginx-with-hostpid"
rules:
- name: validate-hostPID-hostIPC
type: Validation
status: fail

22
test/scenarios/samples/best_practices/disallow_priviledged.yaml
View file

@ -1,22 +0,0 @@
# file path relative to project root
input:
policy: test/best_practices/disallow_privileged.yaml
resource: test/resources/disallow_privileged.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: disallow-privileged
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: check-privileged-cfg
rules:
- name: validate-privileged
type: Validation
status: fail
- name: validate-allowPrivilegeEscalation
type: Validation
status: fail

20
test/scenarios/samples/best_practices/disallow_sysctls.yaml
View file

@ -1,20 +0,0 @@
# file path relative to project root
input:
policy: test/best_practices/disallow_sysctls.yaml
resource: test/resources/resource_validate_sysctl_configs.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: disallow-sysctls
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: nginx
rules:
- name: validate-sysctls
type: Validation
status: fail

19
test/scenarios/samples/more/restrict_automount_sa_token.yaml
View file

@ -1,19 +0,0 @@
# file path relative to project root
input:
policy: test/more/restrict_automount_sa_token.yaml
resource: test/resources/disallow_automountingapicred.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: restrict-automount-sa-token
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: validate-automountServiceAccountToken
type: Validation
status: pass

19
test/scenarios/samples/more/restrict_ingress_classes.yaml
View file

@ -1,19 +0,0 @@
# file path relative to project root
input:
policy: test/more/restrict_ingress_classes.yaml
resource: test/resources/ingress-nginx.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: restrict-ingress-classes
resource:
kind: Ingress
apiVersion: v1
namespace: ''
name: test-ingress
rules:
- name: validate-ingress
type: Validation
status: pass

19
test/scenarios/samples/more/unknown_ingress_class.yaml
View file

@ -1,19 +0,0 @@
# file path relative to project root
input:
policy: test/more/restrict_ingress_classes.yaml
resource: test/resources/ingress-haproxy.yaml
expected:
validation:
policyresponse:
policy:
namespace: ''
name: restrict-ingress-classes
resource:
kind: Ingress
apiVersion: v1
namespace: ''
name: test-ingress
rules:
- name: validate-ingress
type: Validation
status: fail