diff --git a/test/cli/test/kasten-invalid-patchedResource/backup-export-policy.yaml b/test/cli/test/kasten-invalid-patchedResource/backup-export-policy.yaml deleted file mode 100644 index 6abb9a37f4..0000000000 --- a/test/cli/test/kasten-invalid-patchedResource/backup-export-policy.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# An example compliant K10 Policy -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: hourly-policy - namespace: kasten-io - labels: - appPriority: Mission-Critical -spec: - comment: My sample custom backup policy - frequency: '@hourly' # change this to @daily to test the 'audit_mission_critical_RPO' policy - subFrequency: - minutes: [30] - hours: [22,7] - weekdays: [5] - days: [15] - retention: - daily: 14 - weekly: 4 - monthly: 6 - actions: - - action: backup - - action: export # comment this line out to test 'enforce_3-2-1' policy - exportParameters: - frequency: '@monthly' - profile: - name: my-profile - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 - selector: - matchLabels: - k10.kasten.io/appNamespace: sampleApp \ No newline at end of file diff --git a/test/cli/test/kasten-invalid-patchedResource/k10-override-minimum-retentions.yaml b/test/cli/test/kasten-invalid-patchedResource/k10-override-minimum-retentions.yaml deleted file mode 100644 index 096c311e3a..0000000000 --- a/test/cli/test/kasten-invalid-patchedResource/k10-override-minimum-retentions.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-policy-minimum-retention - annotations: - policies.kyverno.io/title: Minimum Backup Retention - policies.kyverno.io/category: Kasten K10 - kyverno.io/kyverno-version: 1.6.2 - policies.kyverno.io/minversion: 1.6.2 - kyverno.io/kubernetes-version: "1.21-1.22" - policies.kyverno.io/subject: Policy - policies.kyverno.io/description: >- - K10 Policy resources can be validated to adhere to common compliance retention standards. - Uncomment the regulation/compliance standards you want to enforce for according to GFS retention. - This policy deletes the retention value in the backup operation and replaces it with the specified retention. - Note: K10 Policy uses the GFS retention scheme and export operations default to use the retention of the backup operation. - To use different - This policy can also be used go reduce retentions lengths to enforce cost optimization. -spec: - rules: - - name: k10-policy-minimum-retention - match: - any: - - resources: - kinds: - - config.kio.kasten.io/v1alpha1/Policy - mutate: - # Cost Optimization (Maximum Retention: 3 Months) - patchesJson6902: |- - - path: "/spec/retention" - op: replace - value: {"hourly":24,"daily":30,"weekly":4,"monthly":3} \ No newline at end of file diff --git a/test/cli/test/kasten-invalid-patchedResource/kyverno-test.yaml b/test/cli/test/kasten-invalid-patchedResource/kyverno-test.yaml deleted file mode 100644 index 0f7b621778..0000000000 --- a/test/cli/test/kasten-invalid-patchedResource/kyverno-test.yaml +++ /dev/null @@ -1,12 +0,0 @@ -name: kyverno_data_protection_tests -policies: - - k10-override-minimum-retentions.yaml -resources: - - backup-export-policy.yaml -results: -- policy: k10-policy-minimum-retention - rule: k10-policy-minimum-retention - resource: hourly-policy - kind: Policy - patchedResource: patched.yaml - result: fail \ No newline at end of file diff --git a/test/cli/test/kasten-invalid-patchedResource/patched.yaml b/test/cli/test/kasten-invalid-patchedResource/patched.yaml deleted file mode 100644 index 8f37172ae6..0000000000 --- a/test/cli/test/kasten-invalid-patchedResource/patched.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kind: Policy -apiVersion: config.kio.kasten.io/v1alpha1 -metadata: - name: hourly-policy - namespace: kasten-io - # labels: - appPriority: Mission-Critical -spec: - comment: My sample custom backup policy - frequency: "@hourly" - subFrequency: - minutes: - - 30 - hours: - - 22 - - 7 - weekdays: - - 5 - days: - - 15 - retention: - hourly: 24 - daily: 30 - weekly: 4 - monthly: 3 - selector: - matchLabels: - k10.kasten.io/appNamespace: sampleApp - actions: - - action: backup - - action: export - exportParameters: - frequency: "@monthly" - profile: - name: my-profile - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/01-policy.yaml b/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/01-policy.yaml deleted file mode 100644 index f3857739b0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/02-resource.yaml b/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/02-resource.yaml deleted file mode 100644 index 7e08de156a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/02-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/README.md b/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/README.md deleted file mode 100644 index 4763840548..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/README.md +++ /dev/null @@ -1,13 +0,0 @@ -## Description - -This is a test of the policy in this folder. - -Note: In order for this test to work on Pods emitted from Pod controllers, the Kyverno ConfigMap excludeGroups value may need to be modified to remove the entry for system:serviceaccounts:kube-system or else mutation may not occur. - -## Expected Behavior - -The resource is expected to be mutated so it resembles the specified asserted resources. If it does, the test passes. If it does not, it fails. - -## Reference Issue(s) - -N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/policy-ready.yaml deleted file mode 100644 index 6696bb1d2d..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-emptydir-sizelimit -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/policy.yaml b/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/policy.yaml deleted file mode 100644 index 2a7cf157b3..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/policy.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: add-emptydir-sizelimit ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-emptydir-sizelimit - annotations: - pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/title: Add emptyDir sizeLimit - policies.kyverno.io/category: Other - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kyverno-version: 1.7.3,1.8.0-rc2 - kyverno.io/kubernetes-version: "1.24" - policies.kyverno.io/description: >- - When a Pod requests an emptyDir, by default it does not have a size limit which - may allow it to consume excess or all of the space in the medium backing the volume. - This can quickly overrun a Node and may result in a denial of service for other - workloads. This policy adds a sizeLimit field to all Pods mounting emptyDir - volumes, if not present, and sets it to 100Mi. -spec: - rules: - - name: mutate-emptydir - match: - any: - - resources: - kinds: - - Pod - mutate: - foreach: - - list: "request.object.spec.volumes[]" - preconditions: - all: - - key: "{{element.keys(@)}}" - operator: AnyIn - value: emptyDir - - key: "{{element.emptyDir.sizeLimit || ''}}" - operator: Equals - value: '' - patchesJson6902: |- - - path: "/spec/volumes/{{elementIndex}}/emptyDir/sizeLimit" - op: add - value: 100Mi \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/resource-mutated.yaml b/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/resource-mutated.yaml deleted file mode 100644 index f1080792f5..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/resource-mutated.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod01 - namespace: add-emptydir-sizelimit -spec: - automountServiceAccountToken: false - containers: - - image: aiboelckajdow:1.35 - name: busybox - volumeMounts: - - mountPath: /foo - name: foo - volumes: - - emptyDir: - sizeLimit: 100Mi - name: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod02 - namespace: add-emptydir-sizelimit -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: iopybmeyffhjq:1.35 - volumeMounts: - - mountPath: /foo - name: foo - volumes: - - name: foo - emptyDir: - sizeLimit: 50Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod03 - namespace: add-emptydir-sizelimit -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: flfmfioapzhdts:1.35 - volumeMounts: - - mountPath: /foo - name: foo - - mountPath: /bar - name: bar - volumes: - - name: foo - emptyDir: - sizeLimit: 50Mi - - name: bar - emptyDir: - sizeLimit: 100Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod04 - namespace: add-emptydir-sizelimit -spec: - automountServiceAccountToken: false - containers: - - image: imvplaiskduqnf:1.35 - name: busybox - volumeMounts: - - mountPath: /foo - name: foo - - mountPath: /bar - name: bar - - mountPath: /baz - name: baz - volumes: - - emptyDir: - sizeLimit: 50Mi - name: foo - - hostPath: - path: /opt/baz - name: baz - - emptyDir: - sizeLimit: 100Mi - name: bar diff --git a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/resource.yaml b/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/resource.yaml deleted file mode 100644 index 878ced1811..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-emptydirsizelimit/resource.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod01 - namespace: add-emptydir-sizelimit -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: aiboelckajdow:1.35 - volumeMounts: - - mountPath: /foo - name: foo - volumes: - - name: foo - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod02 - namespace: add-emptydir-sizelimit -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: iopybmeyffhjq:1.35 - volumeMounts: - - mountPath: /foo - name: foo - volumes: - - name: foo - emptyDir: - sizeLimit: 50Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod03 - namespace: add-emptydir-sizelimit -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: flfmfioapzhdts:1.35 - volumeMounts: - - mountPath: /foo - name: foo - - mountPath: /bar - name: bar - volumes: - - name: foo - emptyDir: - sizeLimit: 50Mi - - name: bar - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod04 - namespace: add-emptydir-sizelimit -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: imvplaiskduqnf:1.35 - volumeMounts: - - mountPath: /foo - name: foo - - mountPath: /bar - name: bar - - mountPath: /baz - name: baz - volumes: - - name: foo - emptyDir: - sizeLimit: 50Mi - - name: baz - hostPath: - path: /opt/baz - - name: bar - emptyDir: {} diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/01-crd.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/01-crd.yaml deleted file mode 100644 index 6db5372cb0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/01-crd.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- crd.yaml -assert: -- crd-assert.yaml diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/02-policy.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/02-policy.yaml deleted file mode 100644 index 57ffd5631d..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/02-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/03-sleep.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/03-sleep.yaml deleted file mode 100644 index c4a0f87858..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/03-sleep.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: - - command: sleep 10 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/04-resource.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/04-resource.yaml deleted file mode 100644 index de14ac5c9c..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/04-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- resource.yaml -assert: -- resource-mutated.yaml diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/README.md b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/README.md deleted file mode 100644 index 6ec7030d63..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/README.md +++ /dev/null @@ -1,12 +0,0 @@ -## Description - -This is a description of what my test does and why it needs to do it. - -## Expected Behavior - -This is the expected behavior of my test. Although it's assumed the test, overall, should pass/succeed, be specific about what the internal behavior is which leads to that result. - -## Reference Issue(s) - -1234 -test \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/crd-assert.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/crd-assert.yaml deleted file mode 100644 index a7aee3c477..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalsecrets.external-secrets.io -spec: {} -status: - acceptedNames: - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - singular: externalsecret - storedVersions: - - v1beta1 diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/crd.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/crd.yaml deleted file mode 100644 index 8cf533cc60..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/crd.yaml +++ /dev/null @@ -1,694 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret - keys and the Provider data - items: - description: ExternalSecretData defines the connection between the - Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data - location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider - value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider - value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: DataFrom is used to fetch all properties from a specific - Provider data If multiple entries are specified, the Secret keys - are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider - value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider - value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: RefreshInterval is the amount of time before the values - are read again from the SecretStore provider Valid time units are - "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to - fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the - ExternalSecret data. - properties: - kind: - description: Kind of the SecretStore resource (SecretStore or - ClusterSecretStore) Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: ExternalSecretTarget defines the Kubernetes Secret to - be created There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: CreationPolicy defines rules on how to create the - resulting Secret Defaults to 'Owner' - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: Name defines the name of the Secret resource to be - managed This field is immutable Defaults to the .metadata.name - of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret - resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: EngineVersion specifies the template engine version - that should be used to compile/execute the template specified - in .data and .templateFrom[]. - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata - fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: refreshTime is the time and date the external secret - was fetched and the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced - version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret - keys and the Provider data - items: - description: ExternalSecretData defines the connection between the - Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - description: Policy for fetching tags/labels from provider - secrets, possible options are Fetch, None. Defaults to - None - type: string - property: - description: Used to select a specific property of the Provider - value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider - value, if supported - type: string - required: - - key - type: object - secretKey: - description: SecretKey defines the key in which the controller - stores the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: SourceRef allows you to override the source from - which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource - in - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator - resource - type: string - kind: - description: Specify the Kind of the resource, e.g. - Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to - fetch the ExternalSecret data. - properties: - kind: - description: Kind of the SecretStore resource (SecretStore - or ClusterSecretStore) Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: DataFrom is used to fetch all properties from a specific - Provider data If multiple entries are specified, the Secret keys - are merged in the specified order - items: - properties: - extract: - description: 'Used to extract multiple key/value pairs from - one secret Note: Extract does not support sourceRef.Generator - or sourceRef.GeneratorRef.' - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - description: Policy for fetching tags/labels from provider - secrets, possible options are Fetch, None. Defaults to - None - type: string - property: - description: Used to select a specific property of the Provider - value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider - value, if supported - type: string - required: - - key - type: object - find: - description: 'Used to find secrets based on tags or regular - expressions Note: Find does not support sourceRef.Generator - or sourceRef.GeneratorRef.' - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: Used to rewrite secret Keys after getting them - from the secret Provider Multiple Rewrite operations can be - provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll - operation. - properties: - source: - description: Used to define the regular expression - of a re.Compiler. - type: string - target: - description: Used to define the target pattern of - a ReplaceAll operation. - type: string - required: - - source - - target - type: object - type: object - type: array - sourceRef: - description: SourceRef points to a store or generator which - contains secret values ready to use. Use this in combination - with Extract or Find pull values out of a specific SecretStore. - When sourceRef points to a generator Extract or Find is not - supported. The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource - in - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator - resource - type: string - kind: - description: Specify the Kind of the resource, e.g. - Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to - fetch the ExternalSecret data. - properties: - kind: - description: Kind of the SecretStore resource (SecretStore - or ClusterSecretStore) Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: RefreshInterval is the amount of time before the values - are read again from the SecretStore provider Valid time units are - "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to - fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the - ExternalSecret data. - properties: - kind: - description: Kind of the SecretStore resource (SecretStore or - ClusterSecretStore) Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to - be created There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: CreationPolicy defines rules on how to create the - resulting Secret Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: DeletionPolicy defines rules on how to delete the - resulting Secret Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: Name defines the name of the Secret resource to be - managed This field is immutable Defaults to the .metadata.name - of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret - resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - type: string - mergePolicy: - default: Replace - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata - fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: refreshTime is the time and date the external secret - was fetched and the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced - version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/policy-ready.yaml deleted file mode 100644 index 51234b6594..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-external-secret-prefix -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/policy.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/policy.yaml deleted file mode 100644 index ae3d6a0ecf..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/policy.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: add-external-secret-prefix ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-external-secret-prefix - annotations: - policies.kyverno.io/title: Add prefix to external secret - policies.kyverno.io/category: ExternalSecretOperator - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: ExternalSecret - kyverno.io/kyverno-version: 1.7.1 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/description: >- - This Policy mutates secretRef key to add a prefix. - External Secret Operator proposes to use kyverno to force ExternalSecrets - to have namespace prefix so that kubernetes administrators do not need to - define permissions and users per namespace. - Doing this developers are abstracted by administrators naming convention and will not - be able to access secrets from other namespaces. - In this example, in the JSON patch change "prefix-" to your preferred prefix. For example: {{ request.namespace }} -spec: - rules: - - name: add-external-secret-prefix - match: - any: - - resources: - kinds: - - ExternalSecret - mutate: - foreach: - - list: "request.object.spec.data" - patchesJson6902: |- - - path: /spec/data/{{elementIndex}}/remoteRef - op: add - value: - key: "prefix-{{element.remoteRef.key}}" - property: "{{element.remoteRef.property}}" - conversionStrategy: "{{element.remoteRef.conversionStrategy}}" - decodingStrategy: "{{element.remoteRef.decodingStrategy}}" diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/resource-mutated.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/resource-mutated.yaml deleted file mode 100644 index 03eab8636c..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/resource-mutated.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: example - namespace: add-external-secret-prefix -spec: - data: - - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: prefix-remote-secret - property: name.first - secretKey: firstname - - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: prefix-friend-secret - property: friends.1.first - secretKey: first_friend - refreshInterval: 1m - secretStoreRef: - kind: SecretStore - name: aws - target: - creationPolicy: Owner - deletionPolicy: Retain - name: secret-to-be-created \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/resource.yaml b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/resource.yaml deleted file mode 100644 index e89a9db993..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/resource.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: example - namespace: add-external-secret-prefix -spec: - refreshInterval: 1m - secretStoreRef: - name: aws - kind: SecretStore - target: - name: secret-to-be-created - creationPolicy: Owner - data: - - secretKey: firstname - remoteRef: - key: remote-secret - property: "name.first" - conversionStrategy: Default - decodingStrategy: None - - secretKey: first_friend - remoteRef: - key: friend-secret - property: "friends.1.first" - conversionStrategy: Default - decodingStrategy: None \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/01-policy.yaml b/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/01-policy.yaml deleted file mode 100644 index f3857739b0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/02-resource.yaml b/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/02-resource.yaml deleted file mode 100644 index 7e08de156a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/02-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/README.md b/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/README.md deleted file mode 100644 index 4763840548..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/README.md +++ /dev/null @@ -1,13 +0,0 @@ -## Description - -This is a test of the policy in this folder. - -Note: In order for this test to work on Pods emitted from Pod controllers, the Kyverno ConfigMap excludeGroups value may need to be modified to remove the entry for system:serviceaccounts:kube-system or else mutation may not occur. - -## Expected Behavior - -The resource is expected to be mutated so it resembles the specified asserted resources. If it does, the test passes. If it does not, it fails. - -## Reference Issue(s) - -N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/policy-ready.yaml deleted file mode 100644 index da767ab21e..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-image-as-env-var -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/policy.yaml b/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/policy.yaml deleted file mode 100644 index fe52715a16..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/policy.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: add-image-as-env-var ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-image-as-env-var - annotations: - pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/title: Add Image as Environment Variable - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.10.0-alpha.2 - kyverno.io/kubernetes-version: "1.26" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - The Kubernetes downward API only has the ability to express so many - options as environment variables. The image consumed in a Pod is commonly - needed to make the application aware of some logic it must take. This policy - takes the value of the `image` field and adds it as an environment variable - to Pods. -spec: - rules: - - name: pod-containers-inject-image - match: - any: - - resources: - kinds: - - Pod - mutate: - foreach: - - list: request.object.spec.containers[] - patchesJson6902: |- - - op: add - path: /spec/containers/{{elementIndex}}/env/- - value: - name: K8S_IMAGE - value: "{{ element.image }}" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/resource-mutated.yaml b/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/resource-mutated.yaml deleted file mode 100644 index 02d10206c8..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/resource-mutated.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod01 - namespace: add-image-as-env-var -spec: - containers: - - env: - - name: FOO - value: bar - - name: K8S_IMAGE - value: aiboelckajdow:1.35 - image: aiboelckajdow:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod02 - namespace: add-image-as-env-var -spec: - containers: - - env: - - name: K8S_IMAGE - value: bicoapeibsjasjdhb:1.35 - image: bicoapeibsjasjdhb:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod03 - namespace: add-image-as-env-var -spec: - containers: - - env: - - name: COLOR - value: red - - name: K8S_IMAGE - value: pqmbjduzivyyaiv:1.35 - image: pqmbjduzivyyaiv:1.35 - name: busybox - - env: - - name: K8S_IMAGE - value: yqkbmzydleyds:1.1.0 - image: yqkbmzydleyds:1.1.0 - name: nginx \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/resource.yaml b/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/resource.yaml deleted file mode 100644 index 9f670115a5..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-image-as-env-var/resource.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod01 - namespace: add-image-as-env-var -spec: - containers: - - name: busybox - image: aiboelckajdow:1.35 - env: - - name: FOO - value: bar ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod02 - namespace: add-image-as-env-var -spec: - containers: - - name: busybox - image: bicoapeibsjasjdhb:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod03 - namespace: add-image-as-env-var -spec: - containers: - - name: busybox - image: pqmbjduzivyyaiv:1.35 - env: - - name: COLOR - value: red - - name: nginx - image: yqkbmzydleyds:1.1.0 diff --git a/test/conformance/kuttl/mutate/refactor/add-node-affinity/01-policy.yaml b/test/conformance/kuttl/mutate/refactor/add-node-affinity/01-policy.yaml deleted file mode 100644 index f3857739b0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-node-affinity/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-node-affinity/02-resource.yaml b/test/conformance/kuttl/mutate/refactor/add-node-affinity/02-resource.yaml deleted file mode 100644 index 7e08de156a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-node-affinity/02-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-node-affinity/README.md b/test/conformance/kuttl/mutate/refactor/add-node-affinity/README.md deleted file mode 100644 index 04644f67f5..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-node-affinity/README.md +++ /dev/null @@ -1,11 +0,0 @@ -## Description - -This is a test of the policy in this folder. - -## Expected Behavior - -The resource is expected to be mutated so it resembles the specified asserted resources. If it does, the test passes. If it does not, it fails. - -## Reference Issue(s) - -N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-node-affinity/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/add-node-affinity/policy-ready.yaml deleted file mode 100644 index ba706ce75a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-node-affinity/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-node-affinity -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-node-affinity/policy.yaml b/test/conformance/kuttl/mutate/refactor/add-node-affinity/policy.yaml deleted file mode 100644 index 315e4c5770..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-node-affinity/policy.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: add-node-affinity ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-node-affinity - annotations: - policies.kyverno.io/title: Add Node Affinity - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Deployment - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.21" - policies.kyverno.io/description: >- - Node affinity, similar to node selection, is a way to specify which node(s) on which Pods will be scheduled - but based on more complex conditions. This policy will add node affinity to a Deployment and if one already - exists an expression will be added to it. -spec: - background: false - rules: - - name: add-node-affinity-deployment - match: - any: - - resources: - kinds: - - Deployment - mutate: - patchesJson6902: |- - - path: "/spec/template/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution/nodeSelectorTerms/-1/matchExpressions/-1" - op: add - value: - key: zone_weight - operator: Lt - values: - - "400" diff --git a/test/conformance/kuttl/mutate/refactor/add-node-affinity/resource-mutated.yaml b/test/conformance/kuttl/mutate/refactor/add-node-affinity/resource-mutated.yaml deleted file mode 100644 index a7d826b9fa..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-node-affinity/resource-mutated.yaml +++ /dev/null @@ -1,107 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: tomcat - name: tomcat-deployment - namespace: add-node-affinity -spec: - replicas: 1 - selector: - matchLabels: - app: tomcat - template: - metadata: - labels: - app: tomcat - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: zone_weight - operator: Lt - values: - - "400" - containers: - - image: thisisdefinitelynottomcat:9.0 - name: tomcat - ports: - - containerPort: 80 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: nginx - name: nginx-deployment - namespace: add-node-affinity -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: fookey - operator: In - values: - - bar - - key: zone_weight - operator: Lt - values: - - "400" - containers: - - image: thisisdefinitelynotnginx:1.0.1 - name: nginx - ports: - - containerPort: 80 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: redis - name: redis-deployment - namespace: add-node-affinity -spec: - replicas: 1 - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: zone_weight - operator: Lt - values: - - "400" - matchFields: - - key: metadata.name - operator: In - values: - - red - containers: - - image: thisisdefinitelynotredis:latest - name: redis - ports: - - containerPort: 80 - protocol: TCP diff --git a/test/conformance/kuttl/mutate/refactor/add-node-affinity/resource.yaml b/test/conformance/kuttl/mutate/refactor/add-node-affinity/resource.yaml deleted file mode 100644 index ea470494af..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-node-affinity/resource.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tomcat-deployment - namespace: add-node-affinity - labels: - app: tomcat -spec: - replicas: 1 - selector: - matchLabels: - app: tomcat - template: - metadata: - labels: - app: tomcat - spec: - containers: - - name: tomcat - image: thisisdefinitelynottomcat:9.0 - ports: - - containerPort: 80 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-deployment - namespace: add-node-affinity - labels: - app: nginx -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: fookey - operator: In - values: - - bar - containers: - - name: nginx - image: thisisdefinitelynotnginx:1.0.1 - ports: - - containerPort: 80 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis-deployment - namespace: add-node-affinity - labels: - app: redis -spec: - replicas: 1 - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchFields: - - key: metadata.name - operator: In - values: - - red - containers: - - name: redis - image: thisisdefinitelynotredis:latest - ports: - - containerPort: 80 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/01-policy.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/01-policy.yaml deleted file mode 100644 index f3857739b0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/02-pod.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/02-pod.yaml deleted file mode 100644 index 79800b2516..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/02-pod.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- pod.yaml -assert: -- pod-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/03-deployment.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/03-deployment.yaml deleted file mode 100644 index 61dea991e2..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/03-deployment.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- deployment.yaml -assert: -- deployment-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/04-cronjob.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/04-cronjob.yaml deleted file mode 100644 index d84c0963be..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/04-cronjob.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- cronjob.yaml -assert: -- cronjob-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/README.md b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/README.md deleted file mode 100644 index 04644f67f5..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/README.md +++ /dev/null @@ -1,11 +0,0 @@ -## Description - -This is a test of the policy in this folder. - -## Expected Behavior - -The resource is expected to be mutated so it resembles the specified asserted resources. If it does, the test passes. If it does not, it fails. - -## Reference Issue(s) - -N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/cronjob-mutated.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/cronjob-mutated.yaml deleted file mode 100644 index f2c62f44dc..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/cronjob-mutated.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: hello - namespace: add-pod-priorityclassname -spec: - jobTemplate: - spec: - template: - spec: - containers: - - args: - - /bin/sh - - -c - - date; echo Hello from the Kubernetes cluster - image: somejunkimagegoeshere - name: hello - priorityClassName: non-production - restartPolicy: OnFailure - schedule: '*/1 * * * *' diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/cronjob.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/cronjob.yaml deleted file mode 100644 index 830a04e39f..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/cronjob.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: hello - namespace: add-pod-priorityclassname -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: somejunkimagegoeshere - args: - - /bin/sh - - -c - - date; echo Hello from the Kubernetes cluster - restartPolicy: OnFailure \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/deployment-mutated.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/deployment-mutated.yaml deleted file mode 100644 index d005a048f5..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/deployment-mutated.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: busybox - namespace: add-pod-priorityclassname -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - command: - - sleep - - "9999" - image: somejunkbusyboximage:1.28 - name: busybox - priorityClassName: non-production diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/deployment.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/deployment.yaml deleted file mode 100644 index 516f8074cf..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/deployment.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: busybox - namespace: add-pod-priorityclassname - labels: - app: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: somejunkbusyboximage:1.28 - name: busybox - command: ["sleep", "9999"] \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/pod-mutated.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/pod-mutated.yaml deleted file mode 100644 index b9c25ea733..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/pod-mutated.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: blank - namespace: add-pod-priorityclassname -spec: - containers: - - image: sfsdafasdfsadfsadf - name: busybox - priorityClassName: non-production diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/pod.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/pod.yaml deleted file mode 100644 index b5db2b7c27..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/pod.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: blank - namespace: add-pod-priorityclassname -spec: - containers: - - name: busybox - image: sfsdafasdfsadfsadf \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/policy-ready.yaml deleted file mode 100644 index c95f7c6422..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-pod-priorityclassname -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/policy.yaml b/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/policy.yaml deleted file mode 100644 index 0a1dc98679..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-pod-priorityclassname/policy.yaml +++ /dev/null @@ -1,93 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: add-pod-priorityclassname ---- -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: non-production -value: 1234 -globalDefault: false -description: "This priority class should be used for XYZ service pods only." ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-pod-priorityclassname - annotations: - policies.kyverno.io/title: Add Pod priorityClassName - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - pod-policies.kyverno.io/autogen-controllers: none - kyverno.io/kyverno-version: 1.7.1 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/description: >- - A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. - This policy adds the priorityClassName of `non-production` to any Pod deployed - into a Namespace that does not have the label env=production. -spec: - background: false - rules: - - name: add-priorityclass-pods - match: - any: - - resources: - kinds: - - Pod - namespaceSelector: - matchExpressions: - - key: env - operator: NotIn - values: - - production - mutate: - patchesJson6902: |- - - op: remove - path: '/spec/priority' - - op: add - path: /spec/priorityClassName - value: 'non-production' - - name: add-priorityclass-controllers - match: - any: - - resources: - kinds: - - Deployment - - DaemonSet - - StatefulSet - - Job - namespaceSelector: - matchExpressions: - - key: env - operator: NotIn - values: - - production - mutate: - patchesJson6902: |- - - op: remove - path: '/spec/template/spec/priority' - - op: add - path: /spec/template/spec/priorityClassName - value: 'non-production' - - name: add-priorityclass-cronjobs - match: - any: - - resources: - kinds: - - CronJob - namespaceSelector: - matchExpressions: - - key: env - operator: NotIn - values: - - production - mutate: - patchesJson6902: |- - - op: remove - path: '/spec/jobTemplate/spec/template/spec/priority' - - op: add - path: /spec/jobTemplate/spec/template/spec/priorityClassName - value: 'non-production' \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-tolerations/01-policy.yaml b/test/conformance/kuttl/mutate/refactor/add-tolerations/01-policy.yaml deleted file mode 100644 index f3857739b0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-tolerations/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-tolerations/02-resource.yaml b/test/conformance/kuttl/mutate/refactor/add-tolerations/02-resource.yaml deleted file mode 100644 index 7e08de156a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-tolerations/02-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-tolerations/README.md b/test/conformance/kuttl/mutate/refactor/add-tolerations/README.md deleted file mode 100644 index 1e9be3bf91..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-tolerations/README.md +++ /dev/null @@ -1,11 +0,0 @@ -## Description - -This is a test of the policy in this folder. - -## Expected Behavior - -The resource is expected to be mutated so it resembles the specified asserted resource. If it does, the test passes. If it does not, it fails. - -## Reference Issue(s) - -N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-tolerations/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/add-tolerations/policy-ready.yaml deleted file mode 100644 index f3ea2605c3..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-tolerations/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-tolerations -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-tolerations/policy.yaml b/test/conformance/kuttl/mutate/refactor/add-tolerations/policy.yaml deleted file mode 100644 index 640622b412..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-tolerations/policy.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: add-tolerations ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-tolerations - annotations: - policies.kyverno.io/title: Add Tolerations - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.7.1 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/description: >- - Pod tolerations are used to schedule on Nodes which have - a matching taint. This policy adds the toleration `org.com/role=service:NoSchedule` - if existing tolerations do not contain the key `org.com/role`. -spec: - rules: - - name: service-toleration - match: - any: - - resources: - kinds: - - Pod - preconditions: - any: - - key: "org.com/role" - operator: AnyNotIn - value: "{{ request.object.spec.tolerations[].key || `[]` }}" - mutate: - patchesJson6902: |- - - op: add - path: "/spec/tolerations/-" - value: - key: org.com/role - operator: Equal - value: service - effect: NoSchedule diff --git a/test/conformance/kuttl/mutate/refactor/add-tolerations/resource-mutated.yaml b/test/conformance/kuttl/mutate/refactor/add-tolerations/resource-mutated.yaml deleted file mode 100644 index 7f209bdd3c..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-tolerations/resource-mutated.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: addpod02 - namespace: add-tolerations -spec: - containers: - - image: containerimage01 - name: container01 - tolerations: - - effect: NoSchedule - key: org.com/test - operator: Exists - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - tolerationSeconds: 300 - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 300 - - effect: NoSchedule - key: org.com/role - operator: Equal - value: service \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-tolerations/resource.yaml b/test/conformance/kuttl/mutate/refactor/add-tolerations/resource.yaml deleted file mode 100644 index ff625d5ef0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-tolerations/resource.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: addpod02 - namespace: add-tolerations -spec: - containers: - - name: container01 - image: containerimage01 - tolerations: - - key: org.com/test - operator: Exists - effect: NoSchedule \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/01-policy.yaml b/test/conformance/kuttl/mutate/refactor/add-volume-deployment/01-policy.yaml deleted file mode 100644 index f3857739b0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/02-resource.yaml b/test/conformance/kuttl/mutate/refactor/add-volume-deployment/02-resource.yaml deleted file mode 100644 index 7e08de156a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/02-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/03-sleep.yaml b/test/conformance/kuttl/mutate/refactor/add-volume-deployment/03-sleep.yaml deleted file mode 100644 index b2822f5976..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/03-sleep.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: - - command: sleep 10 diff --git a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/README.md b/test/conformance/kuttl/mutate/refactor/add-volume-deployment/README.md deleted file mode 100644 index 1e9be3bf91..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/README.md +++ /dev/null @@ -1,11 +0,0 @@ -## Description - -This is a test of the policy in this folder. - -## Expected Behavior - -The resource is expected to be mutated so it resembles the specified asserted resource. If it does, the test passes. If it does not, it fails. - -## Reference Issue(s) - -N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/add-volume-deployment/policy-ready.yaml deleted file mode 100644 index d2a163ed95..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-volume -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/policy.yaml b/test/conformance/kuttl/mutate/refactor/add-volume-deployment/policy.yaml deleted file mode 100644 index 3fa6a6903f..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/policy.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-volume - annotations: - policies.kyverno.io/title: Add Volume to Deployment - policies.kyverno.io/category: Sample - policies.kyverno.io/subject: Deployment, Volume - policies.kyverno.io/minversion: 1.6.0 - policies.kyverno.io/description: >- - Some Kubernetes applications like HashiCorp Vault must perform some modifications - to resources in order to invoke their specific functionality. Often times, that functionality - is controlled by the presence of a label or specific annotation. This policy, based on HashiCorp - Vault, adds a volume and volumeMount to a Deployment if there is an annotation called - "vault.k8s.corp.net/inject=enabled" present. -spec: - rules: - - name: add-volume - match: - any: - - resources: - kinds: - - Deployment - preconditions: - any: - - key: "{{request.object.spec.template.metadata.annotations.\"vault.k8s.corp.net/inject\"}}" - operator: Equals - value: enabled - mutate: - patchesJson6902: |- - - op: add - path: /spec/template/spec/volumes/- - value: - name: vault-secret - emptyDir: - medium: Memory - - op: add - path: /spec/template/spec/containers/0/volumeMounts/- - value: - mountPath: /secret - name: vault-secret \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/resource-mutated.yaml b/test/conformance/kuttl/mutate/refactor/add-volume-deployment/resource-mutated.yaml deleted file mode 100644 index 0884c306f2..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/resource-mutated.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: myapp - name: mydeploy -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - annotations: - vault.k8s.corp.net/inject: enabled - labels: - app: myapp - spec: - containers: - - image: somedummyimagehere:latest - name: container01 - volumeMounts: - - mountPath: /secret - name: vault-secret - - image: anotherdummyimagehere:1.2.3 - name: container02 - volumeMounts: - - mountPath: /extra - name: foobar - volumes: - - hostPath: - path: /foo/bar - type: "" - name: foobar - - emptyDir: - medium: Memory - name: vault-secret \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/resource.yaml b/test/conformance/kuttl/mutate/refactor/add-volume-deployment/resource.yaml deleted file mode 100644 index 3cd01a542e..0000000000 --- a/test/conformance/kuttl/mutate/refactor/add-volume-deployment/resource.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: myapp - name: mydeploy -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - annotations: - vault.k8s.corp.net/inject: enabled - spec: - containers: - - image: somedummyimagehere:latest - name: container01 - - image: anotherdummyimagehere:1.2.3 - name: container02 - volumeMounts: - - mountPath: /extra - name: foobar - volumes: - - hostPath: - path: /foo/bar - name: foobar \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/annotate-base-images/01-policy.yaml b/test/conformance/kuttl/mutate/refactor/annotate-base-images/01-policy.yaml deleted file mode 100644 index f3857739b0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/annotate-base-images/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/annotate-base-images/02-resource.yaml b/test/conformance/kuttl/mutate/refactor/annotate-base-images/02-resource.yaml deleted file mode 100644 index 7e08de156a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/annotate-base-images/02-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/annotate-base-images/README.md b/test/conformance/kuttl/mutate/refactor/annotate-base-images/README.md deleted file mode 100644 index 4760c95418..0000000000 --- a/test/conformance/kuttl/mutate/refactor/annotate-base-images/README.md +++ /dev/null @@ -1,13 +0,0 @@ -## Description - -This is a test of the policy in this folder. - -Note: In order for this test to work on Pods emitted from Pod controllers, the Kyverno ConfigMap excludeGroups value may need to be modified to remove the entry for system:serviceaccounts:kube-system or else mutation may not occur. - -## Expected Behavior - -The resource is expected to be mutated so it resembles the specified asserted resource. If it does, the test passes. If it does not, it fails. - -## Reference Issue(s) - -N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/annotate-base-images/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/annotate-base-images/policy-ready.yaml deleted file mode 100644 index cbdcf062cd..0000000000 --- a/test/conformance/kuttl/mutate/refactor/annotate-base-images/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: annotate-base-images -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/annotate-base-images/policy.yaml b/test/conformance/kuttl/mutate/refactor/annotate-base-images/policy.yaml deleted file mode 100644 index f1034b75a5..0000000000 --- a/test/conformance/kuttl/mutate/refactor/annotate-base-images/policy.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: annotate-base-images ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: annotate-base-images - annotations: - policies.kyverno.io/title: Annotate Base Images - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - pod-policies.kyverno.io/autogen-controllers: none - kyverno.io/kyverno-version: 1.7.0 - policies.kyverno.io/minversion: 1.7.0 - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - A base image used to construct a container image is not accessible - by any Kubernetes component and not a field in a Pod spec as it must - be fetched from a registry. Having this information available in the resource - referencing the containers helps to provide a clearer understanding of - its contents. This policy adds an annotation to a Pod or its controllers - with the base image used for each container if present in an OCI annotation. -spec: - rules: - - name: mutate-base-image - match: - any: - - resources: - kinds: - - Pod - preconditions: - all: - - key: "{{request.operation || 'BACKGROUND'}}" - operator: NotEquals - value: DELETE - mutate: - foreach: - - list: "request.object.spec.containers" - context: - - name: imageData - imageRegistry: - reference: "{{ element.image }}" - - name: basename - variable: - jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name" - default: '' - patchesJson6902: |- - - path: "/metadata/annotations/kyverno.io~1baseimages{{elementIndex}}" - op: add - value: "{{basename}}" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/annotate-base-images/resource-mutated.yaml b/test/conformance/kuttl/mutate/refactor/annotate-base-images/resource-mutated.yaml deleted file mode 100644 index 3342035fd5..0000000000 --- a/test/conformance/kuttl/mutate/refactor/annotate-base-images/resource-mutated.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - kyverno.io/baseimages0: distroless.dev/static:latest - kyverno.io/baseimages1: cgr.dev/chainguard/static:latest - name: testpodannotate - namespace: annotate-base-images -spec: - containers: - - image: ghcr.io/kyverno/kyverno:v1.8.0 - name: kyverno180 - - image: ghcr.io/kyverno/kyverno:v1.9.0 - name: kyverno190 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/annotate-base-images/resource.yaml b/test/conformance/kuttl/mutate/refactor/annotate-base-images/resource.yaml deleted file mode 100644 index c9b9b12b38..0000000000 --- a/test/conformance/kuttl/mutate/refactor/annotate-base-images/resource.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: testpodannotate - namespace: annotate-base-images -spec: - containers: - - name: kyverno180 - image: ghcr.io/kyverno/kyverno:v1.8.0 - - name: kyverno190 - image: ghcr.io/kyverno/kyverno:v1.9.0 diff --git a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/01-policy.yaml b/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/01-policy.yaml deleted file mode 100644 index f3857739b0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/02-resource.yaml b/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/02-resource.yaml deleted file mode 100644 index 7e08de156a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/02-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/README.md b/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/README.md deleted file mode 100644 index 4760c95418..0000000000 --- a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/README.md +++ /dev/null @@ -1,13 +0,0 @@ -## Description - -This is a test of the policy in this folder. - -Note: In order for this test to work on Pods emitted from Pod controllers, the Kyverno ConfigMap excludeGroups value may need to be modified to remove the entry for system:serviceaccounts:kube-system or else mutation may not occur. - -## Expected Behavior - -The resource is expected to be mutated so it resembles the specified asserted resource. If it does, the test passes. If it does not, it fails. - -## Reference Issue(s) - -N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/policy-ready.yaml deleted file mode 100644 index 875489a78b..0000000000 --- a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: inject-env-var-from-image-label -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/policy.yaml b/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/policy.yaml deleted file mode 100644 index 109b28368a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/policy.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: inject-env-var-from-image-label ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: inject-env-var-from-image-label - annotations: - policies.kyverno.io/title: Inject Env Var from Image Label - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - pod-policies.kyverno.io/autogen-controllers: none - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.7.0 - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Container images which use metadata such as the LABEL directive in a Dockerfile - do not surface this information to apps running within. In some cases, running the image - as a container may need access to this information. This policy injects the value of a label - set in a Dockerfile named `maintainer` as an environment variable to the corresponding container - in the Pod. -spec: - rules: - - name: add-env-maintainer - match: - any: - - resources: - kinds: - - Pod - preconditions: - all: - - key: "{{request.operation || 'BACKGROUND'}}" - operator: NotEquals - value: DELETE - mutate: - foreach: - - list: "request.object.spec.containers" - context: - - name: maintainer - imageRegistry: - reference: "{{ element.image }}" - jmesPath: "configData.config.Labels.maintainer || ''" - preconditions: - all: - - key: "{{maintainer}}" - operator: NotEquals - value: "" - patchesJson6902: |- - - op: add - path: "/spec/containers/{{elementIndex}}/env/-" - value: - name: MAINTAINER - value: "{{maintainer}}" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/resource-mutated.yaml b/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/resource-mutated.yaml deleted file mode 100644 index 20e4404966..0000000000 --- a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/resource-mutated.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: testpodlabel - namespace: inject-env-var-from-image-label -spec: - containers: - - env: - - name: MAINTAINER - value: NGINX Docker Maintainers - image: docker.io/nginx@sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94 - name: nginx \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/resource.yaml b/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/resource.yaml deleted file mode 100644 index 5fa437cba0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/inject-env-var-from-image-label/resource.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: testpodlabel - namespace: inject-env-var-from-image-label -spec: - containers: - - name: nginx - image: docker.io/nginx@sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94 diff --git a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/01-policy.yaml b/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/01-policy.yaml deleted file mode 100644 index f3857739b0..0000000000 --- a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/02-resource.yaml b/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/02-resource.yaml deleted file mode 100644 index 7e08de156a..0000000000 --- a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/02-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/README.md b/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/README.md deleted file mode 100644 index 1e9be3bf91..0000000000 --- a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/README.md +++ /dev/null @@ -1,11 +0,0 @@ -## Description - -This is a test of the policy in this folder. - -## Expected Behavior - -The resource is expected to be mutated so it resembles the specified asserted resource. If it does, the test passes. If it does not, it fails. - -## Reference Issue(s) - -N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/policy-ready.yaml b/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/policy-ready.yaml deleted file mode 100644 index cffd63c835..0000000000 --- a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v2beta1 -kind: ClusterPolicy -metadata: - name: replace-ingress-hosts -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/policy.yaml b/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/policy.yaml deleted file mode 100644 index 929ecfb0c5..0000000000 --- a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/policy.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: replace-ingress-hosts ---- -apiVersion: kyverno.io/v2beta1 -kind: ClusterPolicy -metadata: - name: replace-ingress-hosts - annotations: - policies.kyverno.io/title: Replace Ingress Hosts - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.9.0 - policies.kyverno.io/minversion: 1.9.0 - kyverno.io/kubernetes-version: "1.24" - policies.kyverno.io/subject: Ingress - policies.kyverno.io/description: >- - An Ingress may specify host names at a variety of locations in the same resource. - In some cases, those host names should be modified to, for example, update domain names - silently. The replacement must be done in all the fields where a host name can be specified. - This policy, illustrating the use of nested foreach loops and operable in Kyverno 1.9+, replaces - host names that end with `old.com` with `new.com`. -spec: - background: false - rules: - - name: replace-old-with-new - match: - any: - - resources: - kinds: - - Ingress - mutate: - foreach: - - list: request.object.spec.rules - patchesJson6902: |- - - path: /spec/rules/{{elementIndex}}/host - op: replace - value: {{replace_all('{{element.host}}', '.old.com', '.new.com')}} - - list: request.object.spec.tls[] - foreach: - - list: "element.hosts" - patchesJson6902: |- - - path: /spec/tls/{{elementIndex0}}/hosts/{{elementIndex1}} - op: replace - value: "{{ replace_all('{{element}}', '.old.com', '.new.com') }}" - - list: request.object.spec.tls[] - patchesJson6902: |- - - path: /spec/tls/{{elementIndex}}/secretName - op: replace - value: "{{ replace_all('{{element.secretName}}', '.old.com', '.new.com') }}" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/resource-mutated.yaml b/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/resource-mutated.yaml deleted file mode 100644 index 7127f77a0b..0000000000 --- a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/resource-mutated.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - labels: - app: kuard - name: kuard - namespace: replace-ingress-hosts -spec: - rules: - - host: kuard.new.com - http: - paths: - - backend: - service: - name: kuard - port: - number: 8080 - path: / - pathType: ImplementationSpecific - - host: hr.new.com - http: - paths: - - backend: - service: - name: kuard - port: - number: 8090 - path: /myhr - pathType: ImplementationSpecific - tls: - - hosts: - - kuard.new.com - - kuard-foo.new.com - secretName: foosecret.new.com - - hosts: - - hr.new.com - secretName: hr.new.com \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/resource.yaml b/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/resource.yaml deleted file mode 100644 index 59f2ecb383..0000000000 --- a/test/conformance/kuttl/mutate/refactor/replace-ingress-hosts/resource.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: kuard - namespace: replace-ingress-hosts - labels: - app: kuard -spec: - rules: - - host: kuard.old.com - http: - paths: - - backend: - service: - name: kuard - port: - number: 8080 - path: / - pathType: ImplementationSpecific - - host: hr.old.com - http: - paths: - - backend: - service: - name: kuard - port: - number: 8090 - path: /myhr - pathType: ImplementationSpecific - tls: - - hosts: - - kuard.old.com - - kuard-foo.old.com - secretName: foosecret.old.com - - hosts: - - hr.old.com - secretName: hr.old.com \ No newline at end of file