From 11b51aa48728a210f90ce204ebf5f75d61582843 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Thu, 23 Nov 2023 00:46:44 +0200 Subject: [PATCH] chore: run autogen tests with chainsaw (#8937) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: run autogen tests with chainsaw Signed-off-by: Mariam Fahmy * fix chainsaw tests Signed-off-by: Mariam Fahmy * fix: remove the creationTimestamp from the TestStep Signed-off-by: Mariam Fahmy * fix Signed-off-by: Charles-Edouard Brétéché * chore: run autogen tests with chainsaw Signed-off-by: Mariam Fahmy * fix chainsaw tests Signed-off-by: Mariam Fahmy * fix: remove the creationTimestamp from the TestStep Signed-off-by: Mariam Fahmy * bump chainsaw Signed-off-by: Charles-Edouard Brétéché * bump chainsaw Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Mariam Fahmy Signed-off-by: Charles-Edouard Brétéché Co-authored-by: Charles-Edouard Brétéché --- .github/workflows/conformance.yaml | 12 +- .../autogen/conditions/01-policy.yaml | 10 ++ .../chainsaw/autogen/conditions/README.md | 11 ++ .../autogen/conditions/policy-assert.yaml | 49 ++++++++ .../chainsaw/autogen/conditions/policy.yaml | 24 ++++ .../autogen/deployment-cronjob/01-policy.yaml | 10 ++ .../autogen/deployment-cronjob/README.md | 11 ++ .../deployment-cronjob/policy-assert.yaml | 98 ++++++++++++++++ .../autogen/deployment-cronjob/policy.yaml | 33 ++++++ .../deployment-statefulset-job/01-policy.yaml | 10 ++ .../deployment-statefulset-job/README.md | 7 ++ .../policy-assert.yaml | 70 ++++++++++++ .../deployment-statefulset-job/policy.yaml | 33 ++++++ .../autogen/foreach-jsonpatch/01-policy.yaml | 12 ++ .../autogen/foreach-jsonpatch/README.md | 11 ++ .../foreach-jsonpatch/policy-assert.yaml | 10 ++ .../foreach-jsonpatch/policy-error.yaml | 13 +++ .../autogen/foreach-jsonpatch/policy.yaml | 28 +++++ .../chainsaw/autogen/none/01-policy.yaml | 10 ++ .../chainsaw/autogen/none/README.md | 7 ++ .../chainsaw/autogen/none/policy-assert.yaml | 37 ++++++ .../chainsaw/autogen/none/policy.yaml | 33 ++++++ .../autogen/only-cronjob/01-policy.yaml | 10 ++ .../chainsaw/autogen/only-cronjob/README.md | 7 ++ .../autogen/only-cronjob/policy-assert.yaml | 70 ++++++++++++ .../chainsaw/autogen/only-cronjob/policy.yaml | 33 ++++++ .../autogen/only-deployment/01-policy.yaml | 10 ++ .../autogen/only-deployment/README.md | 7 ++ .../only-deployment/policy-assert.yaml | 66 +++++++++++ .../autogen/only-deployment/policy.yaml | 33 ++++++ .../autogen/should-autogen/01-policy.yaml | 10 ++ .../chainsaw/autogen/should-autogen/README.md | 7 ++ .../autogen/should-autogen/policy-assert.yaml | 108 ++++++++++++++++++ .../autogen/should-autogen/policy.yaml | 31 +++++ .../autogen/should-not-autogen/01-policy.yaml | 10 ++ .../autogen/should-not-autogen/README.md | 7 ++ .../should-not-autogen/policy-assert.yaml | 38 ++++++ .../autogen/should-not-autogen/policy.yaml | 32 ++++++ 38 files changed, 1012 insertions(+), 6 deletions(-) create mode 100644 test/conformance/chainsaw/autogen/conditions/01-policy.yaml create mode 100644 test/conformance/chainsaw/autogen/conditions/README.md create mode 100644 test/conformance/chainsaw/autogen/conditions/policy-assert.yaml create mode 100644 test/conformance/chainsaw/autogen/conditions/policy.yaml create mode 100644 test/conformance/chainsaw/autogen/deployment-cronjob/01-policy.yaml create mode 100644 test/conformance/chainsaw/autogen/deployment-cronjob/README.md create mode 100644 test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml create mode 100644 test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml create mode 100644 test/conformance/chainsaw/autogen/deployment-statefulset-job/01-policy.yaml create mode 100644 test/conformance/chainsaw/autogen/deployment-statefulset-job/README.md create mode 100644 test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml create mode 100644 test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml create mode 100644 test/conformance/chainsaw/autogen/foreach-jsonpatch/01-policy.yaml create mode 100644 test/conformance/chainsaw/autogen/foreach-jsonpatch/README.md create mode 100644 test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-assert.yaml create mode 100644 test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-error.yaml create mode 100644 test/conformance/chainsaw/autogen/foreach-jsonpatch/policy.yaml create mode 100644 test/conformance/chainsaw/autogen/none/01-policy.yaml create mode 100644 test/conformance/chainsaw/autogen/none/README.md create mode 100644 test/conformance/chainsaw/autogen/none/policy-assert.yaml create mode 100644 test/conformance/chainsaw/autogen/none/policy.yaml create mode 100644 test/conformance/chainsaw/autogen/only-cronjob/01-policy.yaml create mode 100644 test/conformance/chainsaw/autogen/only-cronjob/README.md create mode 100644 test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml create mode 100644 test/conformance/chainsaw/autogen/only-cronjob/policy.yaml create mode 100644 test/conformance/chainsaw/autogen/only-deployment/01-policy.yaml create mode 100644 test/conformance/chainsaw/autogen/only-deployment/README.md create mode 100644 test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml create mode 100644 test/conformance/chainsaw/autogen/only-deployment/policy.yaml create mode 100644 test/conformance/chainsaw/autogen/should-autogen/01-policy.yaml create mode 100644 test/conformance/chainsaw/autogen/should-autogen/README.md create mode 100644 test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml create mode 100644 test/conformance/chainsaw/autogen/should-autogen/policy.yaml create mode 100644 test/conformance/chainsaw/autogen/should-not-autogen/01-policy.yaml create mode 100644 test/conformance/chainsaw/autogen/should-not-autogen/README.md create mode 100644 test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml create mode 100644 test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 9fa2601b29..9304de0c39 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -177,7 +177,7 @@ jobs: - name: v1.28 version: v1.28.0 tests: - # - autogen + - autogen - background-only # - cleanup # - deferred @@ -234,9 +234,9 @@ jobs: - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Install Chainsaw - uses: kyverno/chainsaw/.github/actions/install@f8cd497926b60e53f722732d33ec71e875bf213c # main + uses: kyverno/chainsaw/.github/actions/install@a809ff8c5bd3ba597e3189c8cfb83304a5cc314e # v0.0.6-alpha.4 with: - release: v0.0.6-alpha.3 + release: v0.0.6-alpha.4 - name: Test with Chainsaw shell: bash env: @@ -306,7 +306,7 @@ jobs: - name: Install Chainsaw uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main with: - release: v0.0.6-alpha.1 + release: v0.0.6-alpha.4 - name: Test with Chainsaw shell: bash env: @@ -376,7 +376,7 @@ jobs: - name: Install Chainsaw uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main with: - release: v0.0.6-alpha.1 + release: v0.0.6-alpha.4 - name: Test with Chainsaw shell: bash env: @@ -452,7 +452,7 @@ jobs: - name: Install Chainsaw uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main with: - release: v0.0.6-alpha.1 + release: v0.0.6-alpha.4 - name: Test with Chainsaw shell: bash env: diff --git a/test/conformance/chainsaw/autogen/conditions/01-policy.yaml b/test/conformance/chainsaw/autogen/conditions/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/conditions/README.md b/test/conformance/chainsaw/autogen/conditions/README.md new file mode 100644 index 0000000000..e52cebc4c0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions/README.md @@ -0,0 +1,11 @@ +## Description + +The policy should contain autogen rules with deny conditions correctly adjusted. + +## Expected Behavior + +The policy contains autogen rules with deny conditions correctly adjusted. + +## Related Issue(s) + +- https://github.com/kyverno/kyverno/issues/7566 diff --git a/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml b/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml new file mode 100644 index 0000000000..4d70890e58 --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-annotations +spec: {} +status: + autogen: + rules: + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - StatefulSet + - ReplicaSet + - ReplicationController + name: autogen-allowed-fluxcd-annotations + validate: + deny: + conditions: + all: + - key: '{{ request.object.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-allowed-fluxcd-annotations + validate: + deny: + conditions: + all: + - key: '{{ request.object.spec.jobTemplate.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/autogen/conditions/policy.yaml b/test/conformance/chainsaw/autogen/conditions/policy.yaml new file mode 100644 index 0000000000..e0d1a7d0ef --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-annotations +spec: + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: allowed-fluxcd-annotations + validate: + deny: + conditions: + all: + - key: '{{ request.object.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/01-policy.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/README.md b/test/conformance/chainsaw/autogen/deployment-cronjob/README.md new file mode 100644 index 0000000000..95624aac6e --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/README.md @@ -0,0 +1,11 @@ +## Description + +The policy should contain autogen rules for cronjobs and deployments because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob` annotation. + +## Expected Behavior + +The policy gets created and contains a autogen rules for cronjobs and deployments in the status. + +## Related Issue(s) + +- https://github.com/kyverno/kyverno/issues/7444 diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml new file mode 100644 index 0000000000..181e0a9df1 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml @@ -0,0 +1,98 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - Deployment + name: autogen-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Deployment + name: autogen-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + template: + spec: + containers: + - image: '!*:latest' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml new file mode 100644 index 0000000000..467a033ab3 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/01-policy.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/README.md b/test/conformance/chainsaw/autogen/deployment-statefulset-job/README.md new file mode 100644 index 0000000000..3a78e08db0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should contain autogen rules for deployments, statefulsets and jobs because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment,StatefulSet,Job` annotation. + +## Expected Behavior + +The policy gets created and contains autogen rules for deployments, statefulsets and jobs in the status. diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml new file mode 100644 index 0000000000..99418010ef --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml @@ -0,0 +1,70 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - Deployment + - StatefulSet + - Job + name: autogen-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Deployment + - StatefulSet + - Job + name: autogen-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + template: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml new file mode 100644 index 0000000000..eecb0fd7c8 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + pod-policies.kyverno.io/autogen-controllers: Deployment,StatefulSet,Job +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/foreach-jsonpatch/01-policy.yaml b/test/conformance/chainsaw/autogen/foreach-jsonpatch/01-policy.yaml new file mode 100644 index 0000000000..ffdfc456b2 --- /dev/null +++ b/test/conformance/chainsaw/autogen/foreach-jsonpatch/01-policy.yaml @@ -0,0 +1,12 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - error: + file: policy-error.yaml diff --git a/test/conformance/chainsaw/autogen/foreach-jsonpatch/README.md b/test/conformance/chainsaw/autogen/foreach-jsonpatch/README.md new file mode 100644 index 0000000000..a5e333a049 --- /dev/null +++ b/test/conformance/chainsaw/autogen/foreach-jsonpatch/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a cluster policy with a mutation rule containing a foreach and json patch. + +## Expected Behavior + +No autogen rules should be present in the status as json patches are supposed to disable autogen. + +## Reference Issue(s) + +- https://github.com/kyverno/kyverno/issues/4731 diff --git a/test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-assert.yaml b/test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-assert.yaml new file mode 100644 index 0000000000..f0893f506c --- /dev/null +++ b/test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-pod-require-non-root-user +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: {} diff --git a/test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-error.yaml b/test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-error.yaml new file mode 100644 index 0000000000..e4d9a5c280 --- /dev/null +++ b/test/conformance/chainsaw/autogen/foreach-jsonpatch/policy-error.yaml @@ -0,0 +1,13 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-pod-require-non-root-user +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - name: autogen-require-non-root-user + - name: autogen-cronjob-require-non-root-user diff --git a/test/conformance/chainsaw/autogen/foreach-jsonpatch/policy.yaml b/test/conformance/chainsaw/autogen/foreach-jsonpatch/policy.yaml new file mode 100644 index 0000000000..274965d344 --- /dev/null +++ b/test/conformance/chainsaw/autogen/foreach-jsonpatch/policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-pod-require-non-root-user +spec: + schemaValidation: false + rules: + - name: require-non-root-user + match: + all: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: request.object.spec.containers + preconditions: + all: + # skip images that are exempt (allowed to run as a root user); + # escape quotes where the replaced value may contain hyphens + - key: "{{images.containers.\"{{element.name}}\".path}}" + operator: AnyNotIn + value: + - myorg/exempt-image-name + patchesJson6902: |- + - path: /spec/containers/{{elementIndex}}/securityContext/runAsNonRoot + op: add + value: true diff --git a/test/conformance/chainsaw/autogen/none/01-policy.yaml b/test/conformance/chainsaw/autogen/none/01-policy.yaml new file mode 100644 index 0000000000..ccd7288422 --- /dev/null +++ b/test/conformance/chainsaw/autogen/none/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/autogen/none/README.md b/test/conformance/chainsaw/autogen/none/README.md new file mode 100644 index 0000000000..b7c8e1c1ba --- /dev/null +++ b/test/conformance/chainsaw/autogen/none/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should contain no autogen rules because it has the `pod-policies.kyverno.io/autogen-controllers: none` annotation. + +## Expected Behavior + +The policy gets created and have no autogen rules recorded in the status. diff --git a/test/conformance/chainsaw/autogen/none/policy-assert.yaml b/test/conformance/chainsaw/autogen/none/policy-assert.yaml new file mode 100644 index 0000000000..20ea7d32a6 --- /dev/null +++ b/test/conformance/chainsaw/autogen/none/policy-assert.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: {} diff --git a/test/conformance/chainsaw/autogen/none/policy.yaml b/test/conformance/chainsaw/autogen/none/policy.yaml new file mode 100644 index 0000000000..9c4a105a85 --- /dev/null +++ b/test/conformance/chainsaw/autogen/none/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/only-cronjob/01-policy.yaml b/test/conformance/chainsaw/autogen/only-cronjob/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/only-cronjob/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/only-cronjob/README.md b/test/conformance/chainsaw/autogen/only-cronjob/README.md new file mode 100644 index 0000000000..31f14a054b --- /dev/null +++ b/test/conformance/chainsaw/autogen/only-cronjob/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should contain a single autogen rule for cronjobs because it has the `pod-policies.kyverno.io/autogen-controllers: CronJob` annotation. + +## Expected Behavior + +The policy gets created and contains a single autogen rule for cronjobs in the status. diff --git a/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml b/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml new file mode 100644 index 0000000000..19687d3167 --- /dev/null +++ b/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml @@ -0,0 +1,70 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml b/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml new file mode 100644 index 0000000000..4fd854b997 --- /dev/null +++ b/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + pod-policies.kyverno.io/autogen-controllers: CronJob +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/only-deployment/01-policy.yaml b/test/conformance/chainsaw/autogen/only-deployment/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/only-deployment/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/only-deployment/README.md b/test/conformance/chainsaw/autogen/only-deployment/README.md new file mode 100644 index 0000000000..c86e025705 --- /dev/null +++ b/test/conformance/chainsaw/autogen/only-deployment/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should contain a single autogen rule for deployments because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment` annotation. + +## Expected Behavior + +The policy gets created and contains a single autogen rule for deployments in the status. diff --git a/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml b/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml new file mode 100644 index 0000000000..53441000e5 --- /dev/null +++ b/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml @@ -0,0 +1,66 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - Deployment + name: autogen-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Deployment + name: autogen-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + template: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/only-deployment/policy.yaml b/test/conformance/chainsaw/autogen/only-deployment/policy.yaml new file mode 100644 index 0000000000..3f124a8a67 --- /dev/null +++ b/test/conformance/chainsaw/autogen/only-deployment/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + pod-policies.kyverno.io/autogen-controllers: Deployment +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/should-autogen/01-policy.yaml b/test/conformance/chainsaw/autogen/should-autogen/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/should-autogen/README.md b/test/conformance/chainsaw/autogen/should-autogen/README.md new file mode 100644 index 0000000000..bbbe68d45f --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should contain all autogen rules. + +## Expected Behavior + +The policy gets created and contains all autogen rules in the status. diff --git a/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml new file mode 100644 index 0000000000..971c5c9ae3 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml @@ -0,0 +1,108 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - StatefulSet + - ReplicaSet + - ReplicationController + name: autogen-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - StatefulSet + - ReplicaSet + - ReplicationController + name: autogen-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + template: + spec: + containers: + - image: '!*:latest' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/should-autogen/policy.yaml b/test/conformance/chainsaw/autogen/should-autogen/policy.yaml new file mode 100644 index 0000000000..0e4770f3e7 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/01-policy.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/README.md b/test/conformance/chainsaw/autogen/should-not-autogen/README.md new file mode 100644 index 0000000000..3e7d26726f --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should not contain autogen rules as autogen should not apply to the policy (it's not a `Pod` only policy). + +## Expected Behavior + +The policy gets created and contains no autogen rules in the status. diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml new file mode 100644 index 0000000000..e16f08f265 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + - Deployment + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: {} diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml new file mode 100644 index 0000000000..62a1223e67 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + - Deployment + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest'