From 04cd2a2cfbd7daf3ebc08f934be499c61dd1c320 Mon Sep 17 00:00:00 2001
From: cleverhu <shouping.hu@daocloud.io>
Date: Mon, 6 Feb 2023 17:39:23 +0800
Subject: [PATCH] add kuttl test for allnotin (#5700)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: cleverhu <shouping.hu@daocloud.io>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
---
 .../operator-allnotin-01/01-assert.yaml       |  9 +++++++
 .../operator-allnotin-01/01-manifests.yaml    | 27 +++++++++++++++++++
 .../operator-allnotin-01/02-script.yaml       | 12 +++++++++
 .../operator-allnotin-01/03-deployment.yaml   | 20 ++++++++++++++
 .../operator-allnotin-01/04-delete.yaml       |  8 ++++++
 .../enforce/operator-allnotin-01/README.md    | 13 +++++++++
 .../operator-allnotin-01/resource.yaml        | 25 +++++++++++++++++
 7 files changed, 114 insertions(+)
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-assert.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-manifests.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/02-script.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/03-deployment.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/04-delete.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/README.md
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/resource.yaml

diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-assert.yaml
new file mode 100644
index 0000000000..b0bd73c54e
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-manifests.yaml
new file mode 100644
index 0000000000..810636d98f
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-manifests.yaml
@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+spec:
+  background: false
+  rules:
+    - name: check-for-labels
+      match:
+        any:
+        - resources:
+            kinds:
+            - Deployment
+      preconditions:
+        any:
+        - key: "{{ request.object.metadata.namespace }}"
+          operator: AllNotIn
+          value:
+            - kyverno
+            - def*
+      validate:
+        message: "label 'app.kubernetes.io/name' is required"
+        pattern:
+          metadata:
+            labels:
+              app.kubernetes.io/name: "?*"
+  validationFailureAction: enforce
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/02-script.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/02-script.yaml
new file mode 100644
index 0000000000..1c1a2618ce
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/02-script.yaml
@@ -0,0 +1,12 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      if kubectl apply -f resource.yaml 2>&1 | grep -q "label ''app.kubernetes.io/name'' is required"
+      then
+        echo "Test succeeded. Resource was blocked from label."
+        exit 0
+      else
+        echo "Tested failed. Resource was allowed to create."
+        exit 1
+      fi
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/03-deployment.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/03-deployment.yaml
new file mode 100644
index 0000000000..cf53ab73b8
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/03-deployment.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx
+  name: nginx
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - image: nginx
+          name: nginx
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/04-delete.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/04-delete.yaml
new file mode 100644
index 0000000000..bb98c84845
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/04-delete.yaml
@@ -0,0 +1,8 @@
+# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: apps/v1
+  kind: Deployment
+  name: nginx
+  namespace: default
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/README.md
new file mode 100644
index 0000000000..956f6a058e
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/README.md
@@ -0,0 +1,13 @@
+## Description
+
+This test mainly verifies that the operator AllNotIn does not work properly.
+
+## Expected Behavior
+
+1. The clusterpolicy is created correctly.
+2. Failed to create resources in test-validate namespace because the deployment lacks of label.
+3. Successfully created deployment in default because 'def*' is within the value of AllNotIn.
+
+## Reference Issue(s)
+
+5617
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/resource.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/resource.yaml
new file mode 100644
index 0000000000..c988d4899d
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-allnotin-01/resource.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-validate
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx-test
+  name: nginx-test
+  namespace: test-validate
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-test
+  template:
+    metadata:
+      labels:
+        app: nginx-test
+    spec:
+      containers:
+        - image: nginx
+          name: nginx