add kuttl tests (#7283)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/02-resources.yaml

@@ -0,0 +1,9 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: bad-pod-1.yaml
+  shouldFail: true
+- file: bad-pod-2.yaml
+  shouldFail: true
+- file: good-pod.yaml
+  shouldFail: false

test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/README.md

@@ -0,0 +1,10 @@
+## Description
+
+This test ensures the PSS checks with the latest version, without exclusions, are applied to the resources successfully.
+
+## Expected Behavior
+
+The two pods should not be created as it violate the baseline:latest `seccomp` PSS check.
+
+## Reference Issue(s)
+https://github.com/kyverno/kyverno/issues/7260

test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-1.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-restricted-seccomp-profile-1
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    args:
+    - sleep
+    - 1d
+  securityContext:
+    seccompProfile:
+      type: Unconfined

test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-2.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-restricted-seccomp-profile-2
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    args:
+    - sleep
+    - 1d
+    securityContext:
+      seccompProfile:
+        type: Unconfined

test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/good-pod.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-restricted-seccomp-profile-3
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    args:
+    - sleep
+    - 1d
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault

test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: latest-check-no-exclusion
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: latest-check-no-exclusion
+spec:
+  background: false
+  validationFailureAction: Enforce
+  rules:
+  - name: restricted
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      podSecurity:
+        level: baseline
+        version: latest