add kuttl test for allnotin (#5700)

Signed-off-by: cleverhu <shouping.hu@daocloud.io>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-manifests.yaml

@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+spec:
+  background: false
+  rules:
+    - name: check-for-labels
+      match:
+        any:
+        - resources:
+            kinds:
+            - Deployment
+      preconditions:
+        any:
+        - key: "{{ request.object.metadata.namespace }}"
+          operator: AllNotIn
+          value:
+            - kyverno
+            - def*
+      validate:
+        message: "label 'app.kubernetes.io/name' is required"
+        pattern:
+          metadata:
+            labels:
+              app.kubernetes.io/name: "?*"
+  validationFailureAction: enforce

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/02-script.yaml

@@ -0,0 +1,12 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      if kubectl apply -f resource.yaml 2>&1 | grep -q "label ''app.kubernetes.io/name'' is required"
+      then
+        echo "Test succeeded. Resource was blocked from label."
+        exit 0
+      else
+        echo "Tested failed. Resource was allowed to create."
+        exit 1
+      fi

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/03-deployment.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx
+  name: nginx
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - image: nginx
+          name: nginx

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/04-delete.yaml

@@ -0,0 +1,8 @@
+# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: apps/v1
+  kind: Deployment
+  name: nginx
+  namespace: default

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/README.md

@@ -0,0 +1,13 @@
+## Description
+
+This test mainly verifies that the operator AllNotIn does not work properly.
+
+## Expected Behavior
+
+1. The clusterpolicy is created correctly.
+2. Failed to create resources in test-validate namespace because the deployment lacks of label.
+3. Successfully created deployment in default because 'def*' is within the value of AllNotIn.
+
+## Reference Issue(s)
+
+5617

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/resource.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-validate
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx-test
+  name: nginx-test
+  namespace: test-validate
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-test
+  template:
+    metadata:
+      labels:
+        app: nginx-test
+    spec:
+      containers:
+        - image: nginx
+          name: nginx