From 21da0f335e5fb568748cc96e34924746f432c36c Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Tue, 29 Nov 2022 03:40:57 -0500 Subject: [PATCH] Migrate all mutate e2e tests to kuttl and expand (#5491) * add jmespath-logic test Signed-off-by: Chip Zoller * add simple-conditional test Signed-off-by: Chip Zoller * add variables-in-keys test Signed-off-by: Chip Zoller * add patchesjson6902-simple Signed-off-by: Chip Zoller * add foreach-patchStrategicMerge-preconditions test Signed-off-by: Chip Zoller * add patchStrategicMerge-global test Signed-off-by: Chip Zoller * add patchStrategicMerge-global-addifnotpresent test Signed-off-by: Chip Zoller * add patchesJson6902-replace test Signed-off-by: Chip Zoller * adjust "basic" mutate existing test to prep for e2e migrations Signed-off-by: Chip Zoller * add basic-create test (mutate existing) Signed-off-by: Chip Zoller * add basic-delete test (mutate existing) Signed-off-by: Chip Zoller * add basic-create-policy test (mutate existing) Signed-off-by: Chip Zoller * add basic-create-patchesJson6902 test (mutate existing) Signed-off-by: Chip Zoller * change name to avoid deletion race Signed-off-by: Chip Zoller Signed-off-by: Chip Zoller Co-authored-by: shuting --- test/conformance/kuttl/kuttl-test.yaml | 1 + .../01-assert.yaml | 9 +++ .../01-manifests.yaml | 45 +++++++++++ .../02-create-cm.yaml | 7 ++ .../03-assert.yaml | 7 ++ .../basic-create-patchesJson6902/README.md | 11 +++ .../cleanup.yaml} | 0 .../basic-create-policy/01-manifests.yaml | 25 ++++++ .../basic-create-policy/02-assert.yaml | 9 +++ .../02-create-clusterpolicy.yaml | 27 +++++++ .../basic-create-policy/03-assert.yaml | 7 ++ .../existing/basic-create-policy/README.md | 11 +++ .../existing/basic-create-policy/cleanup.yaml | 4 + .../{basic => basic-create}/01-assert.yaml | 0 .../existing/basic-create/01-manifests.yaml | 45 +++++++++++ .../existing/basic-create/02-create-cm.yaml | 7 ++ .../{basic => basic-create}/03-assert.yaml | 0 .../standard/existing/basic-create/README.md | 11 +++ .../existing/basic-create/cleanup.yaml | 4 + .../existing/basic-delete/01-assert.yaml | 9 +++ .../existing/basic-delete/01-manifests.yaml | 58 ++++++++++++++ .../existing/basic-delete/02-delete-cm.yaml | 7 ++ .../existing/basic-delete/03-assert.yaml | 7 ++ .../standard/existing/basic-delete/README.md | 11 +++ .../existing/basic-delete/cleanup.yaml | 4 + .../existing/basic-update/01-assert.yaml | 9 +++ .../{basic => basic-update}/01-manifests.yaml | 5 +- .../{basic => basic-update}/02-edit-cm.yaml | 0 .../existing/basic-update/03-assert.yaml | 7 ++ .../standard/existing/basic-update/README.md | 11 +++ .../existing/basic-update/cleanup.yaml | 4 + .../standard/existing/basic/README.md | 3 - .../01-policy.yaml | 6 ++ .../02-resource.yaml | 6 ++ .../README.md | 11 +++ .../policy-ready.yaml | 9 +++ .../policy.yaml | 32 ++++++++ .../resource-mutated.yaml | 9 +++ .../resource.yaml | 9 +++ .../e2e/jmespath-logic/01-manifests.yaml | 6 ++ .../e2e/jmespath-logic/02-resource-one.yaml | 6 ++ .../e2e/jmespath-logic/03-policy-two.yaml | 22 ++++++ .../e2e/jmespath-logic/04-resource-two.yaml | 6 ++ .../kuttl/mutate/e2e/jmespath-logic/README.md | 11 +++ .../mutate/e2e/jmespath-logic/manifests.yaml | 38 +++++++++ .../e2e/jmespath-logic/policy-one-ready.yaml | 9 +++ .../e2e/jmespath-logic/resource-mutated.yaml | 8 ++ .../jmespath-logic/resource-two-mutated.yaml | 8 ++ .../e2e/jmespath-logic/resource-two.yaml | 10 +++ .../mutate/e2e/jmespath-logic/resource.yaml | 10 +++ .../01-policy.yaml | 6 ++ .../02-resource.yaml | 6 ++ .../03-resource.yaml | 6 ++ .../README.md | 11 +++ .../policy-ready.yaml | 9 +++ .../policy.yaml | 35 +++++++++ .../resource01-mutated.yaml | 7 ++ .../resource01.yaml | 17 ++++ .../resource02-mutated.yaml | 7 ++ .../resource02.yaml | 19 +++++ .../patchStrategicMerge-global/01-policy.yaml | 6 ++ .../02-resource.yaml | 6 ++ .../e2e/patchStrategicMerge-global/README.md | 11 +++ .../policy-ready.yaml | 9 +++ .../patchStrategicMerge-global/policy.yaml | 20 +++++ .../resource-mutated.yaml | 11 +++ .../patchStrategicMerge-global/resource.yaml | 9 +++ .../patchesJson6902-replace/01-policy.yaml | 6 ++ .../patchesJson6902-replace/02-resource.yaml | 6 ++ .../e2e/patchesJson6902-replace/README.md | 11 +++ .../patchesJson6902-replace/policy-ready.yaml | 9 +++ .../e2e/patchesJson6902-replace/policy.yaml | 17 ++++ .../resource-mutated.yaml | 22 ++++++ .../e2e/patchesJson6902-replace/resource.yaml | 22 ++++++ .../e2e/patchesjson6902-simple/01-policy.yaml | 6 ++ .../patchesjson6902-simple/02-resource.yaml | 6 ++ .../e2e/patchesjson6902-simple/README.md | 11 +++ .../patchesjson6902-simple/policy-ready.yaml | 9 +++ .../e2e/patchesjson6902-simple/policy.yaml | 77 +++++++++++++++++++ .../resource-mutated.yaml | 29 +++++++ .../e2e/patchesjson6902-simple/resource.yaml | 27 +++++++ .../e2e/simple-conditional/01-policy.yaml | 6 ++ .../e2e/simple-conditional/02-resource.yaml | 6 ++ .../e2e/simple-conditional/03-resource.yaml | 6 ++ .../mutate/e2e/simple-conditional/README.md | 11 +++ .../e2e/simple-conditional/pod1-mutated.yaml | 15 ++++ .../mutate/e2e/simple-conditional/pod1.yaml | 11 +++ .../e2e/simple-conditional/pod2-mutated.yaml | 20 +++++ .../mutate/e2e/simple-conditional/pod2.yaml | 14 ++++ .../e2e/simple-conditional/policy-ready.yaml | 9 +++ .../mutate/e2e/simple-conditional/policy.yaml | 25 ++++++ .../e2e/variables-in-keys/01-policy.yaml | 6 ++ .../e2e/variables-in-keys/02-resource.yaml | 6 ++ .../mutate/e2e/variables-in-keys/README.md | 11 +++ .../e2e/variables-in-keys/policy-ready.yaml | 9 +++ .../mutate/e2e/variables-in-keys/policy.yaml | 20 +++++ .../variables-in-keys/resource-mutated.yaml | 45 +++++++++++ .../e2e/variables-in-keys/resource.yaml | 44 +++++++++++ 98 files changed, 1293 insertions(+), 5 deletions(-) create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-manifests.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/02-create-cm.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/03-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/README.md rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/{basic/99-cleanup.yaml => basic-create-patchesJson6902/cleanup.yaml} (100%) create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/01-manifests.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-create-clusterpolicy.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/03-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/README.md create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/cleanup.yaml rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/{basic => basic-create}/01-assert.yaml (100%) create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/01-manifests.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/02-create-cm.yaml rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/{basic => basic-create}/03-assert.yaml (100%) create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/README.md create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/cleanup.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/README.md create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/01-assert.yaml rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/{basic => basic-update}/01-manifests.yaml (88%) rename test/conformance/kuttl/mutate/clusterpolicy/standard/existing/{basic => basic-update}/02-edit-cm.yaml (100%) create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/03-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/README.md create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/cleanup.yaml delete mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/README.md create mode 100644 test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/01-policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/02-resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/README.md create mode 100644 test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy-ready.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/01-manifests.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/02-resource-one.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/03-policy-two.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/04-resource-two.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/README.md create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/manifests.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/policy-one-ready.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/jmespath-logic/resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/01-policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/02-resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/03-resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/README.md create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy-ready.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/01-policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/02-resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/README.md create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy-ready.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/01-policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/02-resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/README.md create mode 100644 test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy-ready.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/01-policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/02-resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/README.md create mode 100644 test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy-ready.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/01-policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/02-resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/03-resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/README.md create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/pod1-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/pod1.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/pod2-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/pod2.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/policy-ready.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/simple-conditional/policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/variables-in-keys/01-policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/variables-in-keys/02-resource.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/variables-in-keys/README.md create mode 100644 test/conformance/kuttl/mutate/e2e/variables-in-keys/policy-ready.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/variables-in-keys/policy.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/variables-in-keys/resource-mutated.yaml create mode 100644 test/conformance/kuttl/mutate/e2e/variables-in-keys/resource.yaml diff --git a/test/conformance/kuttl/kuttl-test.yaml b/test/conformance/kuttl/kuttl-test.yaml index 7ce371f801..f322e903ad 100644 --- a/test/conformance/kuttl/kuttl-test.yaml +++ b/test/conformance/kuttl/kuttl-test.yaml @@ -14,6 +14,7 @@ testDirs: # - ./test/conformance/kuttl/generate/policy/standard/data/nosync - ./test/conformance/kuttl/generate/clusterpolicy/cornercases # Mutate tests +- ./test/conformance/kuttl/mutate/e2e - ./test/conformance/kuttl/mutate/clusterpolicy/standard - ./test/conformance/kuttl/mutate/clusterpolicy/standard/existing - ./test/conformance/kuttl/mutate/clusterpolicy/cornercases diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-assert.yaml new file mode 100644 index 0000000000..408b0e16e6 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-manifests.yaml new file mode 100644 index 0000000000..80cf0e4b05 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-manifests.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: staging-4 + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-4 + namespace: staging-4 +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: mutate-secret-on-configmap-update + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-4 + namespaces: + - staging-4 + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-4 + namespace: "{{ request.object.metadata.namespace }}" + patchesJson6902: |- + - op: add + path: "/metadata/labels/env" + value: "{{ request.object.metadata.namespace }}" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/02-create-cm.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/02-create-cm.yaml new file mode 100644 index 0000000000..45450b350f --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/02-create-cm.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-4 + namespace: staging-4 diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/03-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/03-assert.yaml new file mode 100644 index 0000000000..3bfa536220 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-secret-4 + namespace: staging-4 + labels: + env: staging-4 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/README.md new file mode 100644 index 0000000000..e84be6698f --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability, using a JSON patch, which ensures that creating a triggering resource results in the correct mutation of a different resource. + +## Expected Behavior + +When the `dictionary-4` ConfigMap is created, this should result in the mutation of the Secret named `test-secret-4` within the same Namespace to add the label `env` with value set to the name of the triggering resource's Namespace, `staging-4`. If the Secret is mutated so that the label `env: staging-4` is present, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/99-cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/cleanup.yaml similarity index 100% rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/99-cleanup.yaml rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/cleanup.yaml diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/01-manifests.yaml new file mode 100644 index 0000000000..cb4d8995f2 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/01-manifests.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: staging-3 + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-3 + namespace: staging-3 +type: Opaque +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-3 + namespace: staging-3 diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-assert.yaml new file mode 100644 index 0000000000..b70ab41388 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-create-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-create-clusterpolicy.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-create-clusterpolicy.yaml new file mode 100644 index 0000000000..567c245479 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-create-clusterpolicy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-create-policy +spec: + mutateExistingOnPolicyUpdate: true + rules: + - name: mutate-secret-on-policy-create + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-3 + namespaces: + - staging-3 + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-3 + namespace: "{{ request.object.metadata.namespace }}" + patchStrategicMerge: + metadata: + labels: + foo: "{{ request.object.metadata.name }}" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/03-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/03-assert.yaml new file mode 100644 index 0000000000..75ab23d4d5 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-secret-3 + namespace: staging-3 + labels: + foo: dictionary-3 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/README.md new file mode 100644 index 0000000000..c5cd9fb8c8 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability which ensures that creating of a Kyverno ClusterPolicy causes immediate mutation of downstream targets by setting `mutateExistingOnPolicyUpdate: true`. + +## Expected Behavior + +When the ClusterPolicy is created, at that time it should mutate the `test-secret-3` Secret in the `staging-3` Namespace to add a label with key `foo` the value of which should be the name of the defined triggering resource, `dictionary-3`. If this mutation is done, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/01-assert.yaml similarity index 100% rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-assert.yaml rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/01-assert.yaml diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/01-manifests.yaml new file mode 100644 index 0000000000..dfe8dfbaf1 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/01-manifests.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: staging + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: secret-1 + namespace: staging +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-secret +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: mutate-secret-on-configmap-create + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-1 + namespaces: + - staging + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: secret-1 + namespace: "{{ request.object.metadata.namespace }}" + patchStrategicMerge: + metadata: + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/02-create-cm.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/02-create-cm.yaml new file mode 100644 index 0000000000..b458868bc4 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/02-create-cm.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-1 + namespace: staging diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/03-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/03-assert.yaml similarity index 100% rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/03-assert.yaml rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/03-assert.yaml diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/README.md new file mode 100644 index 0000000000..8e0d03f4f6 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability which ensures that creating a triggering resource results in the correct mutation of a different resource. + +## Expected Behavior + +When the `dictionary-1` ConfigMap is created, this should result in the mutation of the Secret named `secret-1` within the same Namespace to add the label `foo: bar`. If the Secret is mutated so that the label `foo: bar` is present, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml new file mode 100644 index 0000000000..0ac1ea7dcc --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-delete-trigger +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml new file mode 100644 index 0000000000..706fb39f53 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: staging-2 + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-2 + namespace: staging-2 +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-2 + namespace: staging-2 +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-delete-trigger +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: mutate-secret-on-configmap-delete + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-2 + namespaces: + - staging-2 + preconditions: + any: + - key: "{{ request.operation }}" + operator: Equals + value: DELETE + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-2 + namespace: "{{ request.object.metadata.namespace }}" + patchStrategicMerge: + metadata: + labels: + foo: "{{ request.object.metadata.name }}" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml new file mode 100644 index 0000000000..82f33a28bc --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: v1 + kind: ConfigMap + name: dictionary-2 + namespace: staging-2 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml new file mode 100644 index 0000000000..fc44140bd6 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-secret-2 + namespace: staging-2 + labels: + foo: dictionary-2 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/README.md new file mode 100644 index 0000000000..9abd9c3007 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability which ensures that specifically deleting a triggering resource, via a precondition, results in the correct mutation of a different resource. + +## Expected Behavior + +When the `dictionary-2` ConfigMap is deleted, this should result in the mutation of the Secret named `test-secret-2` within the same Namespace to add the label `foo` with value set to the name or `dictionary-2` in this case. If the Secret is mutated so that the label `foo: dictionary-2` is present, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/01-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/01-assert.yaml new file mode 100644 index 0000000000..450edc769b --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-secret +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/01-manifests.yaml similarity index 88% rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-manifests.yaml rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/01-manifests.yaml index 8400e934c9..ac233b57d3 100644 --- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-manifests.yaml +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/01-manifests.yaml @@ -27,10 +27,11 @@ type: Opaque apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: "mutate-existing-secret" + name: mutate-existing-secret spec: + mutateExistingOnPolicyUpdate: false rules: - - name: "mutate-secret-on-configmap-event" + - name: mutate-secret-on-configmap-event match: any: - resources: diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/02-edit-cm.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/02-edit-cm.yaml similarity index 100% rename from test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/02-edit-cm.yaml rename to test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/02-edit-cm.yaml diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/03-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/03-assert.yaml new file mode 100644 index 0000000000..5e7a224346 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secret-1 + namespace: staging + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/README.md new file mode 100644 index 0000000000..7afed002ff --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability which ensures that modifying (updating) a triggering resource results in the correct mutation of a different resource. + +## Expected Behavior + +When the `dictionary-1` ConfigMap is updated, this should result in the mutation of the Secret named `secret-1` within the same Namespace to add the label `foo: bar`. If the Secret is mutated so that the label `foo: bar` is present, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/README.md deleted file mode 100644 index 3f13a0c273..0000000000 --- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Title - -This is a test for mutation of existing resources. diff --git a/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/01-policy.yaml b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/01-policy.yaml new file mode 100644 index 0000000000..f3857739b0 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/02-resource.yaml b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/02-resource.yaml new file mode 100644 index 0000000000..7e08de156a --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/02-resource.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml +assert: +- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/README.md b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/README.md new file mode 100644 index 0000000000..92b1a44e9d --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It tests that preconditions inside a foreach loop are substituted properly. Preconditions, in this case, use predefined variables from image registries and so this is a secondary aspect to the test. + +## Expected Behavior + +The containers with images from `docker.io` should be mutated so the value of the `image` field with respect to the registry is replaced with `my-private-registry`. Therefore, the input image `nginx:1.14.2` (which implicitly is equal to `docker.io/nginx:1.14.2`) is mutated so the output is `my-private-registry/nginx:1.14.2`. If this occurs, the test passes. If this is not done, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy-ready.yaml b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy-ready.yaml new file mode 100644 index 0000000000..ad1a1e1f5a --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: replace-docker-hub +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy.yaml b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy.yaml new file mode 100644 index 0000000000..caca23b03f --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy.yaml @@ -0,0 +1,32 @@ +apiVersion : kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: replace-docker-hub +spec: + rules: + - name: replace-docker-hub + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.operation}}" + operator: AnyIn + value: + - CREATE + - UPDATE + mutate: + foreach: + - list: "request.object.spec.containers" + preconditions: + all: + - key: '{{images.containers."{{element.name}}".registry}}' + operator: Equals + value: 'docker.io' + patchStrategicMerge: + spec: + containers: + - name: "{{ element.name }}" + image: 'my-private-registry/{{images.containers."{{element.name}}".path}}:{{images.containers."{{element.name}}".tag}}' diff --git a/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource-mutated.yaml b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource-mutated.yaml new file mode 100644 index 0000000000..7697fb359c --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource-mutated.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + namespace: default +spec: + containers: + - name: nginx + image: my-private-registry/nginx:1.14.2 diff --git a/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource.yaml b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource.yaml new file mode 100644 index 0000000000..72ec5a2292 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/01-manifests.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/01-manifests.yaml new file mode 100644 index 0000000000..40834088b2 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/01-manifests.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- manifests.yaml +assert: +- policy-one-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/02-resource-one.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/02-resource-one.yaml new file mode 100644 index 0000000000..7e08de156a --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/02-resource-one.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml +assert: +- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/03-policy-two.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/03-policy-two.yaml new file mode 100644 index 0000000000..dd4f8b3ba2 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/03-policy-two.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-policy +spec: + rules: + - name: gen-role + match: + any: + - resources: + kinds: + - ConfigMap + context: + - name: labelValue + apiCall: + urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}/configmaps" + jmesPath: "items[?metadata.name == 'source'].metadata.labels.\"kyverno.key/copy-me\" | [0]" + mutate: + patchStrategicMerge: + metadata: + labels: + +(kyverno.key/copy-me): "{{ labelValue }}" diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/04-resource-two.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/04-resource-two.yaml new file mode 100644 index 0000000000..0f31913c65 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/04-resource-two.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource-two.yaml +assert: +- resource-two-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/README.md b/test/conformance/kuttl/mutate/e2e/jmespath-logic/README.md new file mode 100644 index 0000000000..3b283f1498 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/README.md @@ -0,0 +1,11 @@ +## Description + +This is test migrated from e2e which roughly tests that mutations are successful when the value of key being mutated contains both a context variable as well as a context variable plus additional JMESPath filtering in that variable reference. The test migrated here to kuttl represents a condensed version of the original test to eliminate minor redundancy. + +## Expected Behavior + +The mutated ConfigMap should have a label written to it `kyverno.key/copy-me: sample-value`. If this is so, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/manifests.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/manifests.yaml new file mode 100644 index 0000000000..bd043f2628 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/manifests.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mutate-jmespath +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-policy +spec: + rules: + - name: gen-role + match: + any: + - resources: + kinds: + - ConfigMap + context: + - name: labelValue + apiCall: + urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}/configmaps" + jmesPath: "items[*]" + mutate: + patchStrategicMerge: + metadata: + labels: + +(kyverno.key/copy-me): "{{ labelValue[?metadata.name == 'source'].metadata.labels.\"kyverno.key/copy-me\" | [0] }}" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: source + namespace: mutate-jmespath + labels: + kyverno.key/copy-me: sample-value +data: + data.yaml: | + some: data diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/policy-one-ready.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/policy-one-ready.yaml new file mode 100644 index 0000000000..d2e0f36f4a --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/policy-one-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-mutated.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-mutated.yaml new file mode 100644 index 0000000000..cdf67411a2 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-mutated.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + kyverno.key/copy-from: source + kyverno.key/copy-me: sample-value + name: target + namespace: mutate-jmespath \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two-mutated.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two-mutated.yaml new file mode 100644 index 0000000000..ef40ed5963 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two-mutated.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + kyverno.key/copy-from: source + kyverno.key/copy-me: sample-value + name: targettwo + namespace: mutate-jmespath \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two.yaml new file mode 100644 index 0000000000..61ff26c769 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: targettwo + namespace: mutate-jmespath + labels: + kyverno.key/copy-from: source +data: + data.yaml: | + some: data \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource.yaml b/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource.yaml new file mode 100644 index 0000000000..a8c927cd19 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/jmespath-logic/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: target + namespace: mutate-jmespath + labels: + kyverno.key/copy-from: source +data: + data.yaml: | + some: data \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/01-policy.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/01-policy.yaml new file mode 100644 index 0000000000..f3857739b0 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/02-resource.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/02-resource.yaml new file mode 100644 index 0000000000..5b0f6b47e6 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/02-resource.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource01.yaml +assert: +- resource01-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/03-resource.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/03-resource.yaml new file mode 100644 index 0000000000..ad0737fa63 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/03-resource.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource02.yaml +assert: +- resource02-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/README.md b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/README.md new file mode 100644 index 0000000000..50d4c96551 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migration from e2e. It tests for a combination of the global anchor plus the add-if-not-present anchor in a patchStrategicMerge mutate policy with two rules. + +## Expected Behavior + +Two tests are conducted. In the first, if a Pod contains an emptyDir volume, it should have an annotation added. In the second, the Pod has a hostPath volume and should also receive an annotation. If either one of these Pods does not have the annotation `cluster-autoscaler.kubernetes.io/safe-to-evict: "true"` added the test fails. If this annotation is present, the test passes. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy-ready.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy-ready.yaml new file mode 100644 index 0000000000..480c95f0fc --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-safe-to-evict +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy.yaml new file mode 100644 index 0000000000..60d386f37f --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-safe-to-evict +spec: + rules: + - name: annotate-empty-dir + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + annotations: + +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true" + spec: + volumes: + - <(emptyDir): {} + - name: annotate-host-path + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + annotations: + +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true" + spec: + volumes: + - hostPath: + <(path): "*" diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01-mutated.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01-mutated.yaml new file mode 100644 index 0000000000..1842dbd53b --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01-mutated.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-emptydir + namespace: default + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01.yaml new file mode 100644 index 0000000000..f671a4f6fe --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-emptydir + namespace: default + labels: + foo: bar +spec: + containers: + - image: nginx + name: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + volumes: + - name: cache-volume + emptyDir: {} diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02-mutated.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02-mutated.yaml new file mode 100644 index 0000000000..150f37b8a0 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02-mutated.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-hostpath + namespace: default + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02.yaml new file mode 100644 index 0000000000..5904977c0a --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-hostpath + namespace: default + labels: + foo: bar +spec: + containers: + - image: nginx + name: nginx + volumeMounts: + - mountPath: /usr/share/nginx/html + name: test-volume + volumes: + - hostPath: + path: /var/local/aaa + type: DirectoryOrCreate + name: test-volume diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/01-policy.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/01-policy.yaml new file mode 100644 index 0000000000..f3857739b0 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/02-resource.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/02-resource.yaml new file mode 100644 index 0000000000..7e08de156a --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/02-resource.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml +assert: +- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/README.md b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/README.md new file mode 100644 index 0000000000..81c61e210f --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It checks that the global anchor works in tandem with a patchStrategicMerge policy. + +## Expected Behavior + +If a container image is prefaced with `registry.corp.com` then it should be mutated to add an imagePullSecret named `regcred`. If this is done, the test passes. If this is not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy-ready.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy-ready.yaml new file mode 100644 index 0000000000..ec9f47c302 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-image-pull-secret +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy.yaml new file mode 100644 index 0000000000..607c07663d --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-image-pull-secret +spec: + background: false + rules: + - name: set-image-pull-secret + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + containers: + - <(image): "registry.corp.com/*" + imagePullSecrets: + - name: regcred diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource-mutated.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource-mutated.yaml new file mode 100644 index 0000000000..1e01dfebfc --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource-mutated.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + namespace: default +spec: + containers: + - name: nginx + image: registry.corp.com/nginx:1.14.2 + imagePullSecrets: + - name: regcred diff --git a/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource.yaml b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource.yaml new file mode 100644 index 0000000000..0789f6bbec --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + namespace: default +spec: + containers: + - name: nginx + image: registry.corp.com/nginx:1.14.2 diff --git a/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/01-policy.yaml b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/01-policy.yaml new file mode 100644 index 0000000000..f3857739b0 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/02-resource.yaml b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/02-resource.yaml new file mode 100644 index 0000000000..7e08de156a --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/02-resource.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml +assert: +- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/README.md b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/README.md new file mode 100644 index 0000000000..7a9661ab95 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It checks that a simple JSON patch `replace` operation works with a variable from AdmissionReview as a component of the `value` field. + +## Expected Behavior + +An Ingress's first rule should have the value of the `host` field appended to it `mycompany.com`. If this value has been replaced properly, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy-ready.yaml b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy-ready.yaml new file mode 100644 index 0000000000..ba7571c941 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-ingress-host +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy.yaml b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy.yaml new file mode 100644 index 0000000000..4fdd62c4ec --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-ingress-host +spec: + rules: + - name: mutate-rules-host + match: + any: + - resources: + kinds: + - Ingress + mutate: + patchesJson6902: |- + - op: replace + path: /spec/rules/0/host + value: "{{request.object.spec.rules[0].host}}.mycompany.com" diff --git a/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource-mutated.yaml b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource-mutated.yaml new file mode 100644 index 0000000000..c8a4d0103f --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource-mutated.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kuard-v1 + namespace: default + labels: + app: kuard +spec: + rules: + - host: kuard.mycompany.com + http: + paths: + - backend: + service: + name: kuard + port: + number: 8080 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - kuard \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource.yaml b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource.yaml new file mode 100644 index 0000000000..03f8c9c517 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kuard-v1 + namespace: default + labels: + app: kuard +spec: + rules: + - host: kuard + http: + paths: + - backend: + service: + name: kuard + port: + number: 8080 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - kuard \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/01-policy.yaml b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/01-policy.yaml new file mode 100644 index 0000000000..f3857739b0 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/02-resource.yaml b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/02-resource.yaml new file mode 100644 index 0000000000..7e08de156a --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/02-resource.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml +assert: +- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/README.md b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/README.md new file mode 100644 index 0000000000..dc76b8b972 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It checks that simple JSON patches function properly when mutating array slices. + +## Expected Behavior + +If the Pod has a second environment variable added with the name `K8S_IMAGE` with value equal to `docker.io/busybox:1.11` then the test succeeds. If it does not, the test fails. Note that there is an initContainer present which based upon the policy definition should NOT be mutated. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy-ready.yaml b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy-ready.yaml new file mode 100644 index 0000000000..da767ab21e --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-image-as-env-var +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy.yaml b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy.yaml new file mode 100644 index 0000000000..f6d309f4d4 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy.yaml @@ -0,0 +1,77 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-image-as-env-var + # env array needs to exist (least one env var is present) +spec: + background: false + schemaValidation: false + rules: + # One Pod + - name: pod-containers-1-inject-image + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.object.spec.containers[] | length(@)}}" + operator: GreaterThanOrEquals + value: 1 + mutate: + patchesJson6902: |- + - op: add + path: "/spec/containers/0/env/-" + value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[0].image}}"} + # Two or more Pods + - name: pod-containers-2-inject-image + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.object.spec.containers[] | length(@)}}" + operator: GreaterThanOrEquals + value: 2 + mutate: + patchesJson6902: |- + - op: add + path: "/spec/containers/1/env/-" + value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[1].image}}"} + # Deployment with one Pod + - name: deploy-containers-1-inject-image + match: + any: + - resources: + kinds: + - Deployment + preconditions: + all: + - key: "{{request.object.spec.template.spec.containers[] | length(@)}}" + operator: GreaterThanOrEquals + value: 1 + mutate: + patchesJson6902: |- + - op: add + path: "/spec/template/spec/containers/0/env/-" + value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[0].image}}"} + # Deployment with two or more Pods + - name: deploy-containers-2-inject-image + match: + any: + - resources: + kinds: + - Deployment + preconditions: + all: + - key: "{{request.object.spec.template.spec.containers[] | length(@)}}" + operator: GreaterThanOrEquals + value: 2 + mutate: + patchesJson6902: |- + - op: add + path: "/spec/template/spec/containers/1/env/-" + value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[1].image}}"} diff --git a/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource-mutated.yaml b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource-mutated.yaml new file mode 100644 index 0000000000..5ec53a9a7f --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource-mutated.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo-patchesjson6902-simple + namespace: default +spec: + containers: + - command: + - sleep infinity + env: + - name: FOO + value: bar + - name: K8S_IMAGE + value: docker.io/busybox:1.11 + image: busybox:1.11 + name: busybox + securityContext: + capabilities: + drop: + - SETUID + initContainers: + - command: + - sleep infinity + image: nginx:1.14 + name: nginx + securityContext: + capabilities: + drop: + - SETUID \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource.yaml b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource.yaml new file mode 100644 index 0000000000..ee48c171c3 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo-patchesjson6902-simple + namespace: default +spec: + containers: + - command: + - sleep infinity + env: + - name: FOO + value: bar + image: busybox:1.11 + name: busybox + securityContext: + capabilities: + drop: + - SETUID + initContainers: + - command: + - sleep infinity + image: nginx:1.14 + name: nginx + securityContext: + capabilities: + drop: + - SETUID diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/01-policy.yaml b/test/conformance/kuttl/mutate/e2e/simple-conditional/01-policy.yaml new file mode 100644 index 0000000000..f3857739b0 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/02-resource.yaml b/test/conformance/kuttl/mutate/e2e/simple-conditional/02-resource.yaml new file mode 100644 index 0000000000..c23d40e171 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/02-resource.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- pod1.yaml +assert: +- pod1-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/03-resource.yaml b/test/conformance/kuttl/mutate/e2e/simple-conditional/03-resource.yaml new file mode 100644 index 0000000000..ad5dffe486 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/03-resource.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- pod2.yaml +assert: +- pod2-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/README.md b/test/conformance/kuttl/mutate/e2e/simple-conditional/README.md new file mode 100644 index 0000000000..5c749646c6 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/README.md @@ -0,0 +1,11 @@ +## Description + +This is a test migrated from e2e. It tests that simple conditional anchors (multiple) are working properly using a patchStrategicMerge mutation rule. + +## Expected Behavior + +For a Pod with only `containers[]`, the `securityContext.runAsNonRoot=true` should be written to each container as well as to the `spec`. For a Pod with an added `initContainers[]` entry, the same should occur for the initContainer as well. If both of these happen as expected, the test passes. If any one does not, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/pod1-mutated.yaml b/test/conformance/kuttl/mutate/e2e/simple-conditional/pod1-mutated.yaml new file mode 100644 index 0000000000..7b2de278a9 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/pod1-mutated.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: foo + name: foo + namespace: default +spec: + containers: + - image: abc:1.28 + name: busybox + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/pod1.yaml b/test/conformance/kuttl/mutate/e2e/simple-conditional/pod1.yaml new file mode 100644 index 0000000000..82f0232bde --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/pod1.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default + labels: + app: foo +spec: + containers: + - image: abc:1.28 + name: busybox \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/pod2-mutated.yaml b/test/conformance/kuttl/mutate/e2e/simple-conditional/pod2-mutated.yaml new file mode 100644 index 0000000000..607856472c --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/pod2-mutated.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: foo + name: footwo + namespace: default +spec: + containers: + - image: abc:1.28 + name: busybox + securityContext: + runAsNonRoot: true + initContainers: + - image: bcd:1.29 + name: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/pod2.yaml b/test/conformance/kuttl/mutate/e2e/simple-conditional/pod2.yaml new file mode 100644 index 0000000000..8146aa3a55 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/pod2.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: footwo + namespace: default + labels: + app: foo +spec: + containers: + - image: abc:1.28 + name: busybox + initContainers: + - image: bcd:1.29 + name: nginx diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/policy-ready.yaml b/test/conformance/kuttl/mutate/e2e/simple-conditional/policy-ready.yaml new file mode 100644 index 0000000000..11667b7057 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-runasnonroot-true +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/simple-conditional/policy.yaml b/test/conformance/kuttl/mutate/e2e/simple-conditional/policy.yaml new file mode 100644 index 0000000000..22d270f868 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/simple-conditional/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-runasnonroot-true +spec: + rules: + - name: set-runasnonroot-true + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + securityContext: + runAsNonRoot: true + initContainers: + - (name): "*" + securityContext: + runAsNonRoot: true + containers: + - (name): "*" + securityContext: + runAsNonRoot: true diff --git a/test/conformance/kuttl/mutate/e2e/variables-in-keys/01-policy.yaml b/test/conformance/kuttl/mutate/e2e/variables-in-keys/01-policy.yaml new file mode 100644 index 0000000000..f3857739b0 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/variables-in-keys/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/variables-in-keys/02-resource.yaml b/test/conformance/kuttl/mutate/e2e/variables-in-keys/02-resource.yaml new file mode 100644 index 0000000000..7e08de156a --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/variables-in-keys/02-resource.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml +assert: +- resource-mutated.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/variables-in-keys/README.md b/test/conformance/kuttl/mutate/e2e/variables-in-keys/README.md new file mode 100644 index 0000000000..36a5800b81 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/variables-in-keys/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It tests that variable substitution is occurring properly in the key of a patchStrategicMerge rule. + +## Expected Behavior + +The annotation `fluentbit.io/exclude-busybox: "true"` is expected to be written to the Deployment. If it is, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/variables-in-keys/policy-ready.yaml b/test/conformance/kuttl/mutate/e2e/variables-in-keys/policy-ready.yaml new file mode 100644 index 0000000000..5395eb4672 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/variables-in-keys/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: structured-logs-sidecar +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/e2e/variables-in-keys/policy.yaml b/test/conformance/kuttl/mutate/e2e/variables-in-keys/policy.yaml new file mode 100644 index 0000000000..0d3831f1b6 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/variables-in-keys/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: structured-logs-sidecar +spec: + background: false + rules: + - name: add-annotations + match: + any: + - resources: + kinds: + - Deployment + annotations: + structured-logs: "true" + mutate: + patchStrategicMerge: + metadata: + annotations: + "fluentbit.io/exclude-{{request.object.spec.template.spec.containers[0].name}}": "true" diff --git a/test/conformance/kuttl/mutate/e2e/variables-in-keys/resource-mutated.yaml b/test/conformance/kuttl/mutate/e2e/variables-in-keys/resource-mutated.yaml new file mode 100644 index 0000000000..6ed59b88bf --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/variables-in-keys/resource-mutated.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: busybox + namespace: default + annotations: + structured-logs: "true" + fluentbit.io/exclude-busybox: "true" + labels: + color: red + animal: bear + food: pizza + car: jeep + env: qa +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.28 + name: busybox + command: ["sleep", "9999"] + resources: + requests: + cpu: 100m + memory: 10Mi + limits: + cpu: 100m + memory: 10Mi + - image: busybox:1.28 + name: busybox1 + command: ["sleep", "9999"] + resources: + requests: + cpu: 100m + memory: 10Mi + limits: + cpu: 100m + memory: 20Mi diff --git a/test/conformance/kuttl/mutate/e2e/variables-in-keys/resource.yaml b/test/conformance/kuttl/mutate/e2e/variables-in-keys/resource.yaml new file mode 100644 index 0000000000..268acc4e43 --- /dev/null +++ b/test/conformance/kuttl/mutate/e2e/variables-in-keys/resource.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: busybox + namespace: default + annotations: + structured-logs: "true" + labels: + color: red + animal: bear + food: pizza + car: jeep + env: qa +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.28 + name: busybox + command: ["sleep", "9999"] + resources: + requests: + cpu: 100m + memory: 10Mi + limits: + cpu: 100m + memory: 10Mi + - image: busybox:1.28 + name: busybox1 + command: ["sleep", "9999"] + resources: + requests: + cpu: 100m + memory: 10Mi + limits: + cpu: 100m + memory: 20Mi