From 0938003aeeb42e52226bbaf7d0a47b7a45584507 Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Fri, 26 May 2023 09:16:50 +0800
Subject: [PATCH] add kuttl tests (#7283)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 .../01-policy.yaml                             |  6 ++++++
 .../02-resources.yaml                          |  9 +++++++++
 .../README.md                                  | 10 ++++++++++
 .../bad-pod-1.yaml                             | 14 ++++++++++++++
 .../bad-pod-2.yaml                             | 14 ++++++++++++++
 .../good-pod.yaml                              | 14 ++++++++++++++
 .../policy-assert.yaml                         |  9 +++++++++
 .../policy.yaml                                | 18 ++++++++++++++++++
 8 files changed, 94 insertions(+)
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/01-policy.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/02-resources.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/README.md
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-1.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-2.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/good-pod.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy-assert.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml

diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/01-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/02-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/02-resources.yaml
new file mode 100644
index 0000000000..ae86a3b0dc
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/02-resources.yaml
@@ -0,0 +1,9 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: bad-pod-1.yaml
+  shouldFail: true
+- file: bad-pod-2.yaml
+  shouldFail: true
+- file: good-pod.yaml
+  shouldFail: false
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/README.md
new file mode 100644
index 0000000000..a6347ea58d
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/README.md
@@ -0,0 +1,10 @@
+## Description
+
+This test ensures the PSS checks with the latest version, without exclusions, are applied to the resources successfully.
+
+## Expected Behavior
+
+The two pods should not be created as it violate the baseline:latest `seccomp` PSS check.
+
+## Reference Issue(s)
+https://github.com/kyverno/kyverno/issues/7260
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-1.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-1.yaml
new file mode 100644
index 0000000000..d9f7e83b58
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-1.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-restricted-seccomp-profile-1
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    args:
+    - sleep
+    - 1d
+  securityContext:
+    seccompProfile:
+      type: Unconfined
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-2.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-2.yaml
new file mode 100644
index 0000000000..1cec108efa
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-2.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-restricted-seccomp-profile-2
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    args:
+    - sleep
+    - 1d
+    securityContext:
+      seccompProfile:
+        type: Unconfined
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/good-pod.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/good-pod.yaml
new file mode 100644
index 0000000000..b0b2066c78
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/good-pod.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-restricted-seccomp-profile-3
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    args:
+    - sleep
+    - 1d
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy-assert.yaml
new file mode 100644
index 0000000000..1738a603a5
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: latest-check-no-exclusion
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml
new file mode 100644
index 0000000000..3df4ed2983
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml
@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: latest-check-no-exclusion
+spec:
+  background: false
+  validationFailureAction: Enforce
+  rules:
+  - name: restricted
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      podSecurity:
+        level: baseline
+        version: latest
\ No newline at end of file