mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

chore: run autogen tests with chainsaw (#8937)

Browse source 
* chore: run autogen tests with chainsaw

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix chainsaw tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: remove the creationTimestamp from the TestStep

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: run autogen tests with chainsaw

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix chainsaw tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: remove the creationTimestamp from the TestStep

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* bump chainsaw

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* bump chainsaw

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Mariam Fahmy 2023-11-23 00:46:44 +02:00 committed by GitHub
parent 0150553dcc
commit 11b51aa487
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
38 changed files with 1012 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.github/workflows/conformance.yaml vendored
View file

@ -177,7 +177,7 @@ jobs:
- name: v1.28
version: v1.28.0
tests:
# - autogen
- autogen
- background-only
# - cleanup
# - deferred
@ -234,9 +234,9 @@ jobs:
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Install Chainsaw
uses: kyverno/chainsaw/.github/actions/install@f8cd497926b60e53f722732d33ec71e875bf213c # main
uses: kyverno/chainsaw/.github/actions/install@a809ff8c5bd3ba597e3189c8cfb83304a5cc314e # v0.0.6-alpha.4
with:
release: v0.0.6-alpha.3
release: v0.0.6-alpha.4
- name: Test with Chainsaw
shell: bash
env:
@ -306,7 +306,7 @@ jobs:
- name: Install Chainsaw
uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main
with:
release: v0.0.6-alpha.1
release: v0.0.6-alpha.4
- name: Test with Chainsaw
shell: bash
env:
@ -376,7 +376,7 @@ jobs:
- name: Install Chainsaw
uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main
with:
release: v0.0.6-alpha.1
release: v0.0.6-alpha.4
- name: Test with Chainsaw
shell: bash
env:
@ -452,7 +452,7 @@ jobs:
- name: Install Chainsaw
uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main
with:
release: v0.0.6-alpha.1
release: v0.0.6-alpha.4
- name: Test with Chainsaw
shell: bash
env:

10
test/conformance/chainsaw/autogen/conditions/01-policy.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
name: policy
spec:
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml

11
test/conformance/chainsaw/autogen/conditions/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
The policy should contain autogen rules with deny conditions correctly adjusted.
## Expected Behavior
The policy contains autogen rules with deny conditions correctly adjusted.
## Related Issue(s)
- https://github.com/kyverno/kyverno/issues/7566

49
test/conformance/chainsaw/autogen/conditions/policy-assert.yaml Normal file
View file

@ -0,0 +1,49 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: allowed-annotations
spec: {}
status:
autogen:
rules:
- match:
any:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
name: autogen-allowed-fluxcd-annotations
validate:
deny:
conditions:
all:
- key: '{{ request.object.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}'
operator: AnyNotIn
value:
- fluxcd.io/cow
- fluxcd.io/dog
message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`.
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-allowed-fluxcd-annotations
validate:
deny:
conditions:
all:
- key: '{{ request.object.spec.jobTemplate.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}'
operator: AnyNotIn
value:
- fluxcd.io/cow
- fluxcd.io/dog
message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`.
conditions:
- reason: Succeeded
status: "True"
type: Ready

24
test/conformance/chainsaw/autogen/conditions/policy.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: allowed-annotations
spec:
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: allowed-fluxcd-annotations
validate:
deny:
conditions:
all:
- key: '{{ request.object.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}'
operator: AnyNotIn
value:
- fluxcd.io/cow
- fluxcd.io/dog
message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`.
validationFailureAction: Enforce

10
test/conformance/chainsaw/autogen/deployment-cronjob/01-policy.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
name: policy
spec:
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml

11
test/conformance/chainsaw/autogen/deployment-cronjob/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
The policy should contain autogen rules for cronjobs and deployments because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob` annotation.
## Expected Behavior
The policy gets created and contains a autogen rules for cronjobs and deployments in the status.
## Related Issue(s)
- https://github.com/kyverno/kyverno/issues/7444

98
test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml Normal file
View file

@ -0,0 +1,98 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen:
rules:
- match:
any:
- resources:
kinds:
- Deployment
name: autogen-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Deployment
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
template:
spec:
containers:
- image: '!*:latest'
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '!*:latest'

33
test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'

10
test/conformance/chainsaw/autogen/deployment-statefulset-job/01-policy.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
name: policy
spec:
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml

7
test/conformance/chainsaw/autogen/deployment-statefulset-job/README.md Normal file
View file

@ -0,0 +1,7 @@
## Description
The policy should contain autogen rules for deployments, statefulsets and jobs because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment,StatefulSet,Job` annotation.
## Expected Behavior
The policy gets created and contains autogen rules for deployments, statefulsets and jobs in the status.

70
test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml Normal file
View file

@ -0,0 +1,70 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen:
rules:
- match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
- Job
name: autogen-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
- Job
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
template:
spec:
containers:
- image: '!*:latest'

33
test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
pod-policies.kyverno.io/autogen-controllers: Deployment,StatefulSet,Job
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'

12
test/conformance/chainsaw/autogen/foreach-jsonpatch/01-policy.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
name: policy
spec:
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- error:
file: policy-error.yaml

11
test/conformance/chainsaw/autogen/foreach-jsonpatch/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test creates a cluster policy with a mutation rule containing a foreach and json patch.
## Expected Behavior
No autogen rules should be present in the status as json patches are supposed to disable autogen.
## Reference Issue(s)
- https://github.com/kyverno/kyverno/issues/4731

10
test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-pod-require-non-root-user
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen: {}

13
test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-error.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-pod-require-non-root-user
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen:
rules:
- name: autogen-require-non-root-user
- name: autogen-cronjob-require-non-root-user

28
test/conformance/chainsaw/autogen/foreach-jsonpatch/policy.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-pod-require-non-root-user
spec:
schemaValidation: false
rules:
- name: require-non-root-user
match:
all:
- resources:
kinds:
- Pod
mutate:
foreach:
- list: request.object.spec.containers
preconditions:
all:
# skip images that are exempt (allowed to run as a root user);
# escape quotes where the replaced value may contain hyphens
- key: "{{images.containers.\"{{element.name}}\".path}}"
operator: AnyNotIn
value:
- myorg/exempt-image-name
patchesJson6902: |-
- path: /spec/containers/{{elementIndex}}/securityContext/runAsNonRoot
op: add
value: true

10
test/conformance/chainsaw/autogen/none/01-policy.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
name: policy
spec:
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml

7
test/conformance/chainsaw/autogen/none/README.md Normal file
View file

@ -0,0 +1,7 @@
## Description
The policy should contain no autogen rules because it has the `pod-policies.kyverno.io/autogen-controllers: none` annotation.
## Expected Behavior
The policy gets created and have no autogen rules recorded in the status.

37
test/conformance/chainsaw/autogen/none/policy-assert.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen: {}

33
test/conformance/chainsaw/autogen/none/policy.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'

10
test/conformance/chainsaw/autogen/only-cronjob/01-policy.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
name: policy
spec:
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml

7
test/conformance/chainsaw/autogen/only-cronjob/README.md Normal file
View file

@ -0,0 +1,7 @@
## Description
The policy should contain a single autogen rule for cronjobs because it has the `pod-policies.kyverno.io/autogen-controllers: CronJob` annotation.
## Expected Behavior
The policy gets created and contains a single autogen rule for cronjobs in the status.

70
test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml Normal file
View file

@ -0,0 +1,70 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen:
rules:
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '!*:latest'

33
test/conformance/chainsaw/autogen/only-cronjob/policy.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
pod-policies.kyverno.io/autogen-controllers: CronJob
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'

10
test/conformance/chainsaw/autogen/only-deployment/01-policy.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
name: policy
spec:
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml

7
test/conformance/chainsaw/autogen/only-deployment/README.md Normal file
View file

@ -0,0 +1,7 @@
## Description
The policy should contain a single autogen rule for deployments because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment` annotation.
## Expected Behavior
The policy gets created and contains a single autogen rule for deployments in the status.

66
test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml Normal file
View file

@ -0,0 +1,66 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen:
rules:
- match:
any:
- resources:
kinds:
- Deployment
name: autogen-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Deployment
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
template:
spec:
containers:
- image: '!*:latest'

33
test/conformance/chainsaw/autogen/only-deployment/policy.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
pod-policies.kyverno.io/autogen-controllers: Deployment
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'

10
test/conformance/chainsaw/autogen/should-autogen/01-policy.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
name: policy
spec:
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml

7
test/conformance/chainsaw/autogen/should-autogen/README.md Normal file
View file

@ -0,0 +1,7 @@
## Description
The policy should contain all autogen rules.
## Expected Behavior
The policy gets created and contains all autogen rules in the status.

108
test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml Normal file
View file

@ -0,0 +1,108 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen:
rules:
- match:
any:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
name: autogen-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
template:
spec:
containers:
- image: '!*:latest'
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '!*:latest'

31
test/conformance/chainsaw/autogen/should-autogen/policy.yaml Normal file
View file

@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'

10
test/conformance/chainsaw/autogen/should-not-autogen/01-policy.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
name: policy
spec:
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml

7
test/conformance/chainsaw/autogen/should-not-autogen/README.md Normal file
View file

@ -0,0 +1,7 @@
## Description
The policy should not contain autogen rules as autogen should not apply to the policy (it's not a `Pod` only policy).
## Expected Behavior
The policy gets created and contains no autogen rules in the status.

38
test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
- Deployment
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen: {}

32
test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
- Deployment
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'