diff --git a/cmd/cli/kubectl-kyverno/commands/apply/command_test.go b/cmd/cli/kubectl-kyverno/commands/apply/command_test.go index 9c527ef5fe..c4766beb86 100644 --- a/cmd/cli/kubectl-kyverno/commands/apply/command_test.go +++ b/cmd/cli/kubectl-kyverno/commands/apply/command_test.go @@ -326,7 +326,7 @@ func Test_Apply(t *testing.T) { }, expectedPolicyReports: []policyreportv1alpha2.PolicyReport{{ Summary: policyreportv1alpha2.PolicyReportSummary{ - Pass: 0, + Pass: 2, Fail: 2, Skip: 0, Error: 0, @@ -345,7 +345,7 @@ func Test_Apply(t *testing.T) { }, expectedPolicyReports: []policyreportv1alpha2.PolicyReport{{ Summary: policyreportv1alpha2.PolicyReportSummary{ - Pass: 0, + Pass: 1, Fail: 1, Skip: 0, Error: 0, diff --git a/cmd/cli/kubectl-kyverno/commands/test/test.go b/cmd/cli/kubectl-kyverno/commands/test/test.go index 850a1b893e..270de3c293 100644 --- a/cmd/cli/kubectl-kyverno/commands/test/test.go +++ b/cmd/cli/kubectl-kyverno/commands/test/test.go @@ -58,14 +58,14 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool, auditWa // policies fmt.Fprintln(out, " Loading policies", "...") policyFullPath := path.GetFullPaths(testCase.Test.Policies, testDir, isGit) - policies, validatingAdmissionPolicies, _, err := policy.Load(testCase.Fs, testDir, policyFullPath...) + policies, vaps, vapBindings, err := policy.Load(testCase.Fs, testDir, policyFullPath...) if err != nil { return nil, fmt.Errorf("Error: failed to load policies (%s)", err) } // resources fmt.Fprintln(out, " Loading resources", "...") resourceFullPath := path.GetFullPaths(testCase.Test.Resources, testDir, isGit) - resources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, resourceFullPath, false, policies, validatingAdmissionPolicies, dClient, "", false, testDir) + resources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, resourceFullPath, false, policies, vaps, dClient, "", false, testDir) if err != nil { return nil, fmt.Errorf("Error: failed to load resources (%s)", err) } @@ -83,7 +83,7 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool, auditWa return nil, fmt.Errorf("Error: failed to load exceptions (%s)", err) } // Validates that exceptions cannot be used with ValidatingAdmissionPolicies. - if len(validatingAdmissionPolicies) > 0 && len(exceptions) > 0 { + if len(vaps) > 0 && len(exceptions) > 0 { return nil, fmt.Errorf("Error: Currently, the use of exceptions in conjunction with ValidatingAdmissionPolicies is not supported.") } // init store @@ -94,9 +94,9 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool, auditWa vars.SetInStore(&store) } if len(exceptions) > 0 { - fmt.Fprintln(out, " Applying", len(policies)+len(validatingAdmissionPolicies), pluralize.Pluralize(len(policies)+len(validatingAdmissionPolicies), "policy", "policies"), "to", len(uniques), pluralize.Pluralize(len(uniques), "resource", "resources"), "with", len(exceptions), pluralize.Pluralize(len(exceptions), "exception", "exceptions"), "...") + fmt.Fprintln(out, " Applying", len(policies)+len(vaps), pluralize.Pluralize(len(policies)+len(vaps), "policy", "policies"), "to", len(uniques), pluralize.Pluralize(len(uniques), "resource", "resources"), "with", len(exceptions), pluralize.Pluralize(len(exceptions), "exception", "exceptions"), "...") } else { - fmt.Fprintln(out, " Applying", len(policies)+len(validatingAdmissionPolicies), pluralize.Pluralize(len(policies)+len(validatingAdmissionPolicies), "policy", "policies"), "to", len(uniques), pluralize.Pluralize(len(uniques), "resource", "resources"), "...") + fmt.Fprintln(out, " Applying", len(policies)+len(vaps), pluralize.Pluralize(len(policies)+len(vaps), "policy", "policies"), "to", len(uniques), pluralize.Pluralize(len(uniques), "resource", "resources"), "...") } // TODO document the code below ruleToCloneSourceResource := map[string]string{} @@ -180,10 +180,12 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool, auditWa } for _, resource := range uniques { processor := processor.ValidatingAdmissionPolicyProcessor{ - Policies: validatingAdmissionPolicies, - Resource: resource, - PolicyReport: true, - Rc: &resultCounts, + Policies: vaps, + Bindings: vapBindings, + Resource: resource, + NamespaceSelectorMap: vars.NamespaceSelectors(), + PolicyReport: true, + Rc: &resultCounts, } ers, err := processor.ApplyPolicyOnResource() if err != nil { diff --git a/test/cli/test-validating-admission-policy/with-bindings-1/deployment2.yaml b/test/cli/test-validating-admission-policy/with-bindings-1/deployment2.yaml index b0e5b5cc0e..7133e7d911 100644 --- a/test/cli/test-validating-admission-policy/with-bindings-1/deployment2.yaml +++ b/test/cli/test-validating-admission-policy/with-bindings-1/deployment2.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: nginx-deployment + name: nginx-deployment-1 labels: app: nginx spec: diff --git a/test/cli/test-validating-admission-policy/with-bindings-1/deployment3.yaml b/test/cli/test-validating-admission-policy/with-bindings-1/deployment3.yaml new file mode 100644 index 0000000000..1fa09835f0 --- /dev/null +++ b/test/cli/test-validating-admission-policy/with-bindings-1/deployment3.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment-2 + labels: + app: nginx +spec: + replicas: 2 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:latest diff --git a/test/cli/test-validating-admission-policy/with-bindings-1/kyverno-test.yaml b/test/cli/test-validating-admission-policy/with-bindings-1/kyverno-test.yaml new file mode 100644 index 0000000000..756d46e6cf --- /dev/null +++ b/test/cli/test-validating-admission-policy/with-bindings-1/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- deployment1.yaml +- deployment2.yaml +- deployment3.yaml +results: +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - nginx-deployment-1 + result: fail +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - nginx-deployment-2 + result: pass +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - busybox-deployment + result: skip diff --git a/test/cli/test-validating-admission-policy/with-bindings-2/kyverno-test.yaml b/test/cli/test-validating-admission-policy/with-bindings-2/kyverno-test.yaml new file mode 100644 index 0000000000..d4ae996c84 --- /dev/null +++ b/test/cli/test-validating-admission-policy/with-bindings-2/kyverno-test.yaml @@ -0,0 +1,22 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- deployment1.yaml +- deployment2.yaml +results: +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - nginx-deployment + result: fail +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - busybox-deployment + result: skip diff --git a/test/cli/test-validating-admission-policy/with-bindings-3/deployment1.yaml b/test/cli/test-validating-admission-policy/with-bindings-3/deployment1.yaml index cc00c398d2..5c28610a3c 100644 --- a/test/cli/test-validating-admission-policy/with-bindings-3/deployment1.yaml +++ b/test/cli/test-validating-admission-policy/with-bindings-3/deployment1.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: busybox-deployment + name: testing-deployment-1 namespace: testing labels: app: busybox @@ -18,3 +18,24 @@ spec: containers: - name: busybox image: busybox:latest +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: testing-deployment-2 + namespace: testing + labels: + app: busybox +spec: + replicas: 2 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:latest diff --git a/test/cli/test-validating-admission-policy/with-bindings-3/deployment2.yaml b/test/cli/test-validating-admission-policy/with-bindings-3/deployment2.yaml index 75b5614e0d..fb2135214f 100644 --- a/test/cli/test-validating-admission-policy/with-bindings-3/deployment2.yaml +++ b/test/cli/test-validating-admission-policy/with-bindings-3/deployment2.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: nginx-deployment + name: staging-deployment-1 namespace: staging labels: app: nginx @@ -18,3 +18,24 @@ spec: containers: - name: nginx image: nginx:latest +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: staging-deployment-2 + namespace: staging + labels: + app: nginx +spec: + replicas: 2 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:latest diff --git a/test/cli/test-validating-admission-policy/with-bindings-3/deployment3.yaml b/test/cli/test-validating-admission-policy/with-bindings-3/deployment3.yaml index 0d377fd2ae..817d07c3d7 100644 --- a/test/cli/test-validating-admission-policy/with-bindings-3/deployment3.yaml +++ b/test/cli/test-validating-admission-policy/with-bindings-3/deployment3.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: nginx-deployment + name: production-deployment-1 namespace: production labels: app: nginx @@ -18,3 +18,24 @@ spec: containers: - name: nginx image: nginx:latest +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: production-deployment-2 + namespace: production + labels: + app: nginx +spec: + replicas: 2 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:latest diff --git a/test/cli/test-validating-admission-policy/with-bindings-3/kyverno-test.yaml b/test/cli/test-validating-admission-policy/with-bindings-3/kyverno-test.yaml new file mode 100644 index 0000000000..0bfb28b5b5 --- /dev/null +++ b/test/cli/test-validating-admission-policy/with-bindings-3/kyverno-test.yaml @@ -0,0 +1,33 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- deployment1.yaml +- deployment2.yaml +- deployment3.yaml +results: +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - staging-deployment-1 + - production-deployment-1 + result: fail +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - staging-deployment-2 + - production-deployment-2 + result: pass +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - testing-deployment-1 + - testing-deployment-2 + result: skip +variables: values.yaml diff --git a/test/cli/test-validating-admission-policy/with-bindings-3/values.yaml b/test/cli/test-validating-admission-policy/with-bindings-3/values.yaml index 6df5c27fc3..c99c4317e2 100644 --- a/test/cli/test-validating-admission-policy/with-bindings-3/values.yaml +++ b/test/cli/test-validating-admission-policy/with-bindings-3/values.yaml @@ -3,12 +3,12 @@ kind: Value metadata: name: values namespaceSelector: - - name: staging - labels: - environment: staging - - name: production - labels: - environment: production - - name: testing - labels: - environment: testing +- labels: + environment: staging + name: staging +- labels: + environment: production + name: production +- labels: + environment: testing + name: testing diff --git a/test/cli/test-validating-admission-policy/with-bindings-4/deployment1.yaml b/test/cli/test-validating-admission-policy/with-bindings-4/deployment1.yaml index 6e1aaac578..6bf5fad9f6 100644 --- a/test/cli/test-validating-admission-policy/with-bindings-4/deployment1.yaml +++ b/test/cli/test-validating-admission-policy/with-bindings-4/deployment1.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: busybox-deployment + name: busybox-deployment-1 labels: app: busybox spec: @@ -17,3 +17,23 @@ spec: containers: - name: busybox image: busybox:latest +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: busybox-deployment-2 + labels: + app: busybox +spec: + replicas: 2 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:latest diff --git a/test/cli/test-validating-admission-policy/with-bindings-4/kyverno-test.yaml b/test/cli/test-validating-admission-policy/with-bindings-4/kyverno-test.yaml new file mode 100644 index 0000000000..24b8caded0 --- /dev/null +++ b/test/cli/test-validating-admission-policy/with-bindings-4/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- deployment1.yaml +- deployment2.yaml +results: +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - busybox-deployment-1 + result: fail +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - busybox-deployment-2 + result: pass +- isValidatingAdmissionPolicy: true + kind: Deployment + policy: check-deployment-replicas + resources: + - nginx-deployment + result: skip