feat: support bindings in Kyvenro CLI test command (#9759)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

cmd/cli/kubectl-kyverno/commands/apply/command_test.go

@@ -326,7 +326,7 @@ func Test_Apply(t *testing.T) {
 			},
 			expectedPolicyReports: []policyreportv1alpha2.PolicyReport{{
 				Summary: policyreportv1alpha2.PolicyReportSummary{
-					Pass:  0,
+					Pass:  2,
 					Fail:  2,
 					Skip:  0,
 					Error: 0,
@@ -345,7 +345,7 @@ func Test_Apply(t *testing.T) {
 			},
 			expectedPolicyReports: []policyreportv1alpha2.PolicyReport{{
 				Summary: policyreportv1alpha2.PolicyReportSummary{
-					Pass:  0,
+					Pass:  1,
 					Fail:  1,
 					Skip:  0,
 					Error: 0,

cmd/cli/kubectl-kyverno/commands/test/test.go

@@ -58,14 +58,14 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool, auditWa
 	// policies
 	fmt.Fprintln(out, "  Loading policies", "...")
 	policyFullPath := path.GetFullPaths(testCase.Test.Policies, testDir, isGit)
-	policies, validatingAdmissionPolicies, _, err := policy.Load(testCase.Fs, testDir, policyFullPath...)
+	policies, vaps, vapBindings, err := policy.Load(testCase.Fs, testDir, policyFullPath...)
 	if err != nil {
 		return nil, fmt.Errorf("Error: failed to load policies (%s)", err)
 	}
 	// resources
 	fmt.Fprintln(out, "  Loading resources", "...")
 	resourceFullPath := path.GetFullPaths(testCase.Test.Resources, testDir, isGit)
-	resources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, resourceFullPath, false, policies, validatingAdmissionPolicies, dClient, "", false, testDir)
+	resources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, resourceFullPath, false, policies, vaps, dClient, "", false, testDir)
 	if err != nil {
 		return nil, fmt.Errorf("Error: failed to load resources (%s)", err)
 	}
@@ -83,7 +83,7 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool, auditWa
 		return nil, fmt.Errorf("Error: failed to load exceptions (%s)", err)
 	}
 	// Validates that exceptions cannot be used with ValidatingAdmissionPolicies.
-	if len(validatingAdmissionPolicies) > 0 && len(exceptions) > 0 {
+	if len(vaps) > 0 && len(exceptions) > 0 {
 		return nil, fmt.Errorf("Error: Currently, the use of exceptions in conjunction with ValidatingAdmissionPolicies is not supported.")
 	}
 	// init store
@@ -94,9 +94,9 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool, auditWa
 		vars.SetInStore(&store)
 	}
 	if len(exceptions) > 0 {
-		fmt.Fprintln(out, "  Applying", len(policies)+len(validatingAdmissionPolicies), pluralize.Pluralize(len(policies)+len(validatingAdmissionPolicies), "policy", "policies"), "to", len(uniques), pluralize.Pluralize(len(uniques), "resource", "resources"), "with", len(exceptions), pluralize.Pluralize(len(exceptions), "exception", "exceptions"), "...")
+		fmt.Fprintln(out, "  Applying", len(policies)+len(vaps), pluralize.Pluralize(len(policies)+len(vaps), "policy", "policies"), "to", len(uniques), pluralize.Pluralize(len(uniques), "resource", "resources"), "with", len(exceptions), pluralize.Pluralize(len(exceptions), "exception", "exceptions"), "...")
 	} else {
-		fmt.Fprintln(out, "  Applying", len(policies)+len(validatingAdmissionPolicies), pluralize.Pluralize(len(policies)+len(validatingAdmissionPolicies), "policy", "policies"), "to", len(uniques), pluralize.Pluralize(len(uniques), "resource", "resources"), "...")
+		fmt.Fprintln(out, "  Applying", len(policies)+len(vaps), pluralize.Pluralize(len(policies)+len(vaps), "policy", "policies"), "to", len(uniques), pluralize.Pluralize(len(uniques), "resource", "resources"), "...")
 	}
 	// TODO document the code below
 	ruleToCloneSourceResource := map[string]string{}
@@ -180,8 +180,10 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool, auditWa
 	}
 	for _, resource := range uniques {
 		processor := processor.ValidatingAdmissionPolicyProcessor{
-			Policies:     validatingAdmissionPolicies,
+			Policies:             vaps,
+			Bindings:             vapBindings,
 			Resource:             resource,
+			NamespaceSelectorMap: vars.NamespaceSelectors(),
 			PolicyReport:         true,
 			Rc:                   &resultCounts,
 		}

test/cli/test-validating-admission-policy/with-bindings-1/deployment2.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nginx-deployment
+  name: nginx-deployment-1
   labels:
     app: nginx
 spec:

test/cli/test-validating-admission-policy/with-bindings-1/deployment3.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment-2
+  labels:
+    app: nginx
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest

test/cli/test-validating-admission-policy/with-bindings-1/kyverno-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: kyverno-test.yaml
+policies:
+- policy.yaml
+resources:
+- deployment1.yaml
+- deployment2.yaml
+- deployment3.yaml
+results:
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - nginx-deployment-1
+  result: fail
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - nginx-deployment-2
+  result: pass
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - busybox-deployment
+  result: skip

test/cli/test-validating-admission-policy/with-bindings-2/kyverno-test.yaml

@@ -0,0 +1,22 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: kyverno-test.yaml
+policies:
+- policy.yaml
+resources:
+- deployment1.yaml
+- deployment2.yaml
+results:
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - nginx-deployment
+  result: fail
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - busybox-deployment
+  result: skip

test/cli/test-validating-admission-policy/with-bindings-3/deployment1.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: busybox-deployment
+  name: testing-deployment-1
   namespace: testing
   labels:
     app: busybox
@@ -18,3 +18,24 @@ spec:
       containers:
       - name: busybox
         image: busybox:latest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: testing-deployment-2
+  namespace: testing
+  labels:
+    app: busybox
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:latest

test/cli/test-validating-admission-policy/with-bindings-3/deployment2.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nginx-deployment
+  name: staging-deployment-1
   namespace: staging
   labels:
     app: nginx
@@ -18,3 +18,24 @@ spec:
       containers:
       - name: nginx
         image: nginx:latest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: staging-deployment-2
+  namespace: staging
+  labels:
+    app: nginx
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest

test/cli/test-validating-admission-policy/with-bindings-3/deployment3.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nginx-deployment
+  name: production-deployment-1
   namespace: production
   labels:
     app: nginx
@@ -18,3 +18,24 @@ spec:
       containers:
       - name: nginx
         image: nginx:latest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: production-deployment-2
+  namespace: production
+  labels:
+    app: nginx
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest

test/cli/test-validating-admission-policy/with-bindings-3/kyverno-test.yaml

@@ -0,0 +1,33 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: kyverno-test.yaml
+policies:
+- policy.yaml
+resources:
+- deployment1.yaml
+- deployment2.yaml
+- deployment3.yaml
+results:
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - staging-deployment-1
+  - production-deployment-1
+  result: fail
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - staging-deployment-2
+  - production-deployment-2
+  result: pass
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - testing-deployment-1
+  - testing-deployment-2
+  result: skip
+variables: values.yaml

test/cli/test-validating-admission-policy/with-bindings-3/values.yaml

@@ -3,12 +3,12 @@ kind: Value
 metadata:
   name: values
 namespaceSelector:
-  - name: staging
+- labels:
-    labels:
     environment: staging
-  - name: production
+  name: staging
-    labels:
+- labels:
     environment: production
-  - name: testing
+  name: production
-    labels:
+- labels:
     environment: testing
+  name: testing

test/cli/test-validating-admission-policy/with-bindings-4/deployment1.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: busybox-deployment
+  name: busybox-deployment-1
   labels:
     app: busybox
 spec:
@@ -17,3 +17,23 @@ spec:
       containers:
       - name: busybox
         image: busybox:latest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: busybox-deployment-2
+  labels:
+    app: busybox
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:latest

test/cli/test-validating-admission-policy/with-bindings-4/kyverno-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: kyverno-test.yaml
+policies:
+- policy.yaml
+resources:
+- deployment1.yaml
+- deployment2.yaml
+results:
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - busybox-deployment-1
+  result: fail
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - busybox-deployment-2
+  result: pass
+- isValidatingAdmissionPolicy: true
+  kind: Deployment
+  policy: check-deployment-replicas
+  resources:
+  - nginx-deployment
+  result: skip