examples cleanup: move policies

examples/best_practices/policy_validate_selinux_context.yaml

@@ -17,6 +17,7 @@ spec:
           containers:
           - securityContext:
               seLinuxOptions:
-                level: "s0:c25,c968"
+                level: "*"
+#                level: "s0:c25,c968"
 # If SELinux security module is loaded on the host operating system,
 # we can make sure pods only have access to specified configured level

examples/test/p1.yaml

@@ -1,28 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: Policy
-metadata:
-  name: check-resources
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: check-pod-resources
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "CPU and memory resource requests and limits are required"
-      pattern:
-        spec:
-          containers:
-          # 'name: *' selects all containers in the pod
-          - name: "*"
-            resources:
-              requests:
-                # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.
-                # Using them together e.g. '?*' requires at least one character.               
-                memory: "?*"
-                cpu: "?*"
-              limits:
-                memory: "?*"
-                cpu: "?*"

test/scenarios/query/policy_validate_loadblancer.yaml

@@ -0,0 +1,16 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: query1
+spec:
+  rules:
+    - name: Max one service of type LoadBalancer in namespace test
+      match:
+        resources:
+          kinds:
+          - Service
+          namespaces: 
+          - test
+      query:
+        query: "length([?spec.type=='LoadBalancer'])"
+        expectedResult: "<=1"

test/scenarios/query/policy_validate_no_loadblancer.yaml

@@ -0,0 +1,16 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: query1
+spec:
+  rules:
+    - name: No service of type LoadBalancer in namespace test
+      match:
+        resources:
+          kinds:
+          - Service
+          namespaces: 
+          - test
+      query:
+        query: "length([?spec.type=='LoadBalancer'])"
+        expectedResult: 0

test/scenarios/query/resource_lb1.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: lb1
+  namespace: test
+spec:
+  selector:
+    app: app
+  ports:
+    - port: 8765 # random
+      targetPort: 9376 # random
+  type: LoadBalancer

test/scenarios/query/resource_lb2.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: lb2
+  namespace: test
+spec:
+  selector:
+    app: app
+  ports:
+    - port: 8765 # random
+      targetPort: 9376 # random
+  type: LoadBalancer

test/scenarios/query/resource_ns_test.yaml

@@ -0,0 +1,4 @@
+kind: Namespace
+apiVersion: v1
+metadata: 
+    name: "test"

test/scenarios/test/scenario_mutate_endPpoint.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/policy_mutate_endpoint.yaml
+  policy: test/scenarios/policy_mutate_endpoint.yaml
-  resource: examples/resources/resource_mutate_endpoint.yaml
+  resource: test/scenarios/resources/resource_mutate_endpoint.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_endpoint.yaml

test/scenarios/test/scenario_mutate_imagePullPolicy.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/policy_mutate_imagePullPolicy.yaml
+  policy: test/scenarios/policy_mutate_imagePullPolicy.yaml
-  resource: examples/resources/resource_mutate_imagePullPolicy.yaml
+  resource: test/scenarios/resources/resource_mutate_imagePullPolicy.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_imagePullPolicy.yaml

test/scenarios/test/scenario_mutate_validate_qos.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/policy_mutate_validate_qos.yaml
+  policy: test/scenarios/policy_mutate_validate_qos.yaml
-  resource: examples/resources/resource_mutate_validate_qos.yaml
+  resource: test/scenarios/resources/resource_mutate_validate_qos.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_validate_qos.yaml

test/scenarios/test/scenario_query_lb_count.yaml

@@ -0,0 +1,20 @@
+# file path relative to project root
+input:
+  policy: test/scenarios/policy_validate_loadblancer.yaml
+  resource: test/scenarios/resource_lb1.yaml
+  loadresources: 
+  - examples/query/resource_ns_test.yaml
+expected:
+  query:
+    policyresponse:
+      policy: query1
+      resource:
+        kind: Service
+        apiVersion: v1
+        namespace: test
+        name: lb1
+      rules:
+        - name: Max one service of type LoadBalancer in namespace test
+          type: Query
+          success: true
+          message: "Query rule Max one service of type LoadBalancer in namespace test success. (recieved) 1 == (expected) <=1"

test/scenarios/test/scenario_query_no_lb.yaml

@@ -0,0 +1,20 @@
+# file path relative to project root
+input:
+  policy: test/scenarios/policy_validate_no_loadblancer.yaml
+  resource: test/scenarios/resource_lb1.yaml
+  loadresources: 
+  - test/scenarios/resource_ns_test.yaml
+expected:
+  query:
+    policyresponse:
+      policy: query1
+      resource:
+        kind: Service
+        apiVersion: v1
+        namespace: test
+        name: lb1
+      rules:
+        - name: No service of type LoadBalancer in namespace test
+          type: Query
+          success: false
+          message: "Query rule No service of type LoadBalancer in namespace test failed, (recieved) 1!=(expected) 0"

test/scenarios/test/scenario_validate_containerSecurityContext.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/policy_validate_containerSecurityContext.yaml
+  policy: test/scenarios/policy_validate_containerSecurityContext.yaml
-  resource: examples/resources/resource_validate_containerSecurityContext.yaml
+  resource: test/scenarios/resources/resource_validate_containerSecurityContext.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_healthChecks.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/policy_validate_healthChecks.yaml
+  policy: test/scenarios/policy_validate_healthChecks.yaml
-  resource: examples/resources/resource_validate_healthChecks.yaml
+  resource: test/scenarios/resources/resource_validate_healthChecks.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_imageRegistries.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/policy_validate_imageRegistries.yaml
+  policy: test/scenarios/policy_validate_imageRegistries.yaml
-  resource: examples/resources/resource_validate_imageRegistries.yaml
+  resource: test/scenarios/resources/resource_validate_imageRegistries.yaml
 expected:
   validation:
     policyresponse: