mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Migrate all mutate e2e tests to kuttl and expand (#5491)

Browse source 
* add jmespath-logic test

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add simple-conditional test

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add variables-in-keys test

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add patchesjson6902-simple

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add foreach-patchStrategicMerge-preconditions test

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add patchStrategicMerge-global test

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add patchStrategicMerge-global-addifnotpresent test

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add patchesJson6902-replace test

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* adjust "basic" mutate existing test to prep for e2e migrations

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add basic-create test (mutate existing)

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add basic-delete test (mutate existing)

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add basic-create-policy test (mutate existing)

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add basic-create-patchesJson6902 test (mutate existing)

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* change name to avoid deletion race

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Chip Zoller 2022-11-29 03:40:57 -05:00 committed by GitHub
parent 6f1bd5fff2
commit 21da0f335e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
98 changed files with 1293 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
test/conformance/kuttl/kuttl-test.yaml
View file

@ -14,6 +14,7 @@ testDirs:
# - ./test/conformance/kuttl/generate/policy/standard/data/nosync # - ./test/conformance/kuttl/generate/policy/standard/data/nosync
- ./test/conformance/kuttl/generate/clusterpolicy/cornercases - ./test/conformance/kuttl/generate/clusterpolicy/cornercases
# Mutate tests # Mutate tests
- ./test/conformance/kuttl/mutate/e2e
- ./test/conformance/kuttl/mutate/clusterpolicy/standard - ./test/conformance/kuttl/mutate/clusterpolicy/standard
- ./test/conformance/kuttl/mutate/clusterpolicy/standard/existing - ./test/conformance/kuttl/mutate/clusterpolicy/standard/existing
- ./test/conformance/kuttl/mutate/clusterpolicy/cornercases - ./test/conformance/kuttl/mutate/clusterpolicy/cornercases

9
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-post-mutation
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

45
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-manifests.yaml Normal file
View file

@ -0,0 +1,45 @@
apiVersion: v1
kind: Namespace
metadata:
name: staging-4
labels:
app-type: corp
annotations:
cloud.platformzero.com/serviceClass: "xl2"
---
apiVersion: v1
data:
foo: YmFy
kind: Secret
metadata:
name: test-secret-4
namespace: staging-4
type: Opaque
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-post-mutation
spec:
mutateExistingOnPolicyUpdate: false
rules:
- name: mutate-secret-on-configmap-update
match:
any:
- resources:
kinds:
- ConfigMap
names:
- dictionary-4
namespaces:
- staging-4
mutate:
targets:
- apiVersion: v1
kind: Secret
name: test-secret-4
namespace: "{{ request.object.metadata.namespace }}"
patchesJson6902: |-
- op: add
path: "/metadata/labels/env"
value: "{{ request.object.metadata.namespace }}"

7
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/02-create-cm.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
data:
foo: bar
kind: ConfigMap
metadata:
name: dictionary-4
namespace: staging-4

7
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/03-assert.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: test-secret-4
namespace: staging-4
labels:
env: staging-4

11
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a basic test for the mutate existing capability, using a JSON patch, which ensures that creating a triggering resource results in the correct mutation of a different resource.
## Expected Behavior
When the `dictionary-4` ConfigMap is created, this should result in the mutation of the Secret named `test-secret-4` within the same Namespace to add the label `env` with value set to the name of the triggering resource's Namespace, `staging-4`. If the Secret is mutated so that the label `env: staging-4` is present, the test passes. If not, the test fails.
## Reference Issue(s)
N/A

0
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/99-cleanup.yaml → test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/cleanup.yaml
View file

25
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/01-manifests.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: v1
kind: Namespace
metadata:
name: staging-3
labels:
app-type: corp
annotations:
cloud.platformzero.com/serviceClass: "xl2"
---
apiVersion: v1
data:
foo: YmFy
kind: Secret
metadata:
name: test-secret-3
namespace: staging-3
type: Opaque
---
apiVersion: v1
data:
foo: bar
kind: ConfigMap
metadata:
name: dictionary-3
namespace: staging-3

9
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-post-mutation-create-policy
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

27
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/02-create-clusterpolicy.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-post-mutation-create-policy
spec:
mutateExistingOnPolicyUpdate: true
rules:
- name: mutate-secret-on-policy-create
match:
any:
- resources:
kinds:
- ConfigMap
names:
- dictionary-3
namespaces:
- staging-3
mutate:
targets:
- apiVersion: v1
kind: Secret
name: test-secret-3
namespace: "{{ request.object.metadata.namespace }}"
patchStrategicMerge:
metadata:
labels:
foo: "{{ request.object.metadata.name }}"

7
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/03-assert.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: test-secret-3
namespace: staging-3
labels:
foo: dictionary-3

11
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a basic test for the mutate existing capability which ensures that creating of a Kyverno ClusterPolicy causes immediate mutation of downstream targets by setting `mutateExistingOnPolicyUpdate: true`.
## Expected Behavior
When the ClusterPolicy is created, at that time it should mutate the `test-secret-3` Secret in the `staging-3` Namespace to add a label with key `foo` the value of which should be the name of the defined triggering resource, `dictionary-3`. If this mutation is done, the test passes. If not, the test fails.
## Reference Issue(s)
N/A

4
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create-policy/cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

0
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-assert.yaml → test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/01-assert.yaml
View file

45
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/01-manifests.yaml Normal file
View file

@ -0,0 +1,45 @@
apiVersion: v1
kind: Namespace
metadata:
name: staging
labels:
app-type: corp
annotations:
cloud.platformzero.com/serviceClass: "xl2"
---
apiVersion: v1
data:
foo: YmFy
kind: Secret
metadata:
name: secret-1
namespace: staging
type: Opaque
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-existing-secret
spec:
mutateExistingOnPolicyUpdate: false
rules:
- name: mutate-secret-on-configmap-create
match:
any:
- resources:
kinds:
- ConfigMap
names:
- dictionary-1
namespaces:
- staging
mutate:
targets:
- apiVersion: v1
kind: Secret
name: secret-1
namespace: "{{ request.object.metadata.namespace }}"
patchStrategicMerge:
metadata:
labels:
foo: bar

7
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/02-create-cm.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
data:
foo: bar
kind: ConfigMap
metadata:
name: dictionary-1
namespace: staging

0
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/03-assert.yaml → test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/03-assert.yaml
View file

11
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a basic test for the mutate existing capability which ensures that creating a triggering resource results in the correct mutation of a different resource.
## Expected Behavior
When the `dictionary-1` ConfigMap is created, this should result in the mutation of the Secret named `secret-1` within the same Namespace to add the label `foo: bar`. If the Secret is mutated so that the label `foo: bar` is present, the test passes. If not, the test fails.
## Reference Issue(s)
N/A

4
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-create/cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

9
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-post-mutation-delete-trigger
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

58
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml Normal file
View file

@ -0,0 +1,58 @@
apiVersion: v1
kind: Namespace
metadata:
name: staging-2
labels:
app-type: corp
annotations:
cloud.platformzero.com/serviceClass: "xl2"
---
apiVersion: v1
data:
foo: bar
kind: ConfigMap
metadata:
name: dictionary-2
namespace: staging-2
---
apiVersion: v1
data:
foo: YmFy
kind: Secret
metadata:
name: test-secret-2
namespace: staging-2
type: Opaque
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-post-mutation-delete-trigger
spec:
mutateExistingOnPolicyUpdate: false
rules:
- name: mutate-secret-on-configmap-delete
match:
any:
- resources:
kinds:
- ConfigMap
names:
- dictionary-2
namespaces:
- staging-2
preconditions:
any:
- key: "{{ request.operation }}"
operator: Equals
value: DELETE
mutate:
targets:
- apiVersion: v1
kind: Secret
name: test-secret-2
namespace: "{{ request.object.metadata.namespace }}"
patchStrategicMerge:
metadata:
labels:
foo: "{{ request.object.metadata.name }}"

7
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
delete:
- apiVersion: v1
kind: ConfigMap
name: dictionary-2
namespace: staging-2

7
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: test-secret-2
namespace: staging-2
labels:
foo: dictionary-2

11
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a basic test for the mutate existing capability which ensures that specifically deleting a triggering resource, via a precondition, results in the correct mutation of a different resource.
## Expected Behavior
When the `dictionary-2` ConfigMap is deleted, this should result in the mutation of the Secret named `test-secret-2` within the same Namespace to add the label `foo` with value set to the name or `dictionary-2` in this case. If the Secret is mutated so that the label `foo: dictionary-2` is present, the test passes. If not, the test fails.
## Reference Issue(s)
N/A

4
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

9
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-existing-secret
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

5
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/01-manifests.yaml → test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/01-manifests.yaml
View file

@ -27,10 +27,11 @@ type: Opaque
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: "mutate-existing-secret" name: mutate-existing-secret
spec: spec:
mutateExistingOnPolicyUpdate: false
rules: rules:
- name: "mutate-secret-on-configmap-event" - name: mutate-secret-on-configmap-event
match: match:
any: any:
- resources: - resources:

0
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/02-edit-cm.yaml → test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/02-edit-cm.yaml
View file

7
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/03-assert.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: secret-1
namespace: staging
labels:
foo: bar

11
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a basic test for the mutate existing capability which ensures that modifying (updating) a triggering resource results in the correct mutation of a different resource.
## Expected Behavior
When the `dictionary-1` ConfigMap is updated, this should result in the mutation of the Secret named `secret-1` within the same Namespace to add the label `foo: bar`. If the Secret is mutated so that the label `foo: bar` is present, the test passes. If not, the test fails.
## Reference Issue(s)
N/A

4
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-update/cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

3
test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic/README.md
View file

@ -1,3 +0,0 @@
# Title
This is a test for mutation of existing resources.

6
test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-ready.yaml

6
test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/02-resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml
assert:
- resource-mutated.yaml

11
test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a migrated test from e2e. It tests that preconditions inside a foreach loop are substituted properly. Preconditions, in this case, use predefined variables from image registries and so this is a secondary aspect to the test.
## Expected Behavior
The containers with images from `docker.io` should be mutated so the value of the `image` field with respect to the registry is replaced with `my-private-registry`. Therefore, the input image `nginx:1.14.2` (which implicitly is equal to `docker.io/nginx:1.14.2`) is mutated so the output is `my-private-registry/nginx:1.14.2`. If this occurs, the test passes. If this is not done, the test fails.
## Reference Issue(s)
N/A

9
test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: replace-docker-hub
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

32
test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
name: replace-docker-hub
spec:
rules:
- name: replace-docker-hub
match:
any:
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.operation}}"
operator: AnyIn
value:
- CREATE
- UPDATE
mutate:
foreach:
- list: "request.object.spec.containers"
preconditions:
all:
- key: '{{images.containers."{{element.name}}".registry}}'
operator: Equals
value: 'docker.io'
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
image: 'my-private-registry/{{images.containers."{{element.name}}".path}}:{{images.containers."{{element.name}}".tag}}'

9
test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource-mutated.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: default
spec:
containers:
- name: nginx
image: my-private-registry/nginx:1.14.2

9
test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: default
spec:
containers:
- name: nginx
image: nginx:1.14.2

6
test/conformance/kuttl/mutate/e2e/jmespath-logic/01-manifests.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- manifests.yaml
assert:
- policy-one-ready.yaml

6
test/conformance/kuttl/mutate/e2e/jmespath-logic/02-resource-one.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml
assert:
- resource-mutated.yaml

22
test/conformance/kuttl/mutate/e2e/jmespath-logic/03-policy-two.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-policy
spec:
rules:
- name: gen-role
match:
any:
- resources:
kinds:
- ConfigMap
context:
- name: labelValue
apiCall:
urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}/configmaps"
jmesPath: "items[?metadata.name == 'source'].metadata.labels.\"kyverno.key/copy-me\" | [0]"
mutate:
patchStrategicMerge:
metadata:
labels:
+(kyverno.key/copy-me): "{{ labelValue }}"

6
test/conformance/kuttl/mutate/e2e/jmespath-logic/04-resource-two.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource-two.yaml
assert:
- resource-two-mutated.yaml

11
test/conformance/kuttl/mutate/e2e/jmespath-logic/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is test migrated from e2e which roughly tests that mutations are successful when the value of key being mutated contains both a context variable as well as a context variable plus additional JMESPath filtering in that variable reference. The test migrated here to kuttl represents a condensed version of the original test to eliminate minor redundancy.
## Expected Behavior
The mutated ConfigMap should have a label written to it `kyverno.key/copy-me: sample-value`. If this is so, the test passes. If it is not, the test fails.
## Reference Issue(s)
N/A

38
test/conformance/kuttl/mutate/e2e/jmespath-logic/manifests.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: v1
kind: Namespace
metadata:
name: mutate-jmespath
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-policy
spec:
rules:
- name: gen-role
match:
any:
- resources:
kinds:
- ConfigMap
context:
- name: labelValue
apiCall:
urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}/configmaps"
jmesPath: "items[*]"
mutate:
patchStrategicMerge:
metadata:
labels:
+(kyverno.key/copy-me): "{{ labelValue[?metadata.name == 'source'].metadata.labels.\"kyverno.key/copy-me\" | [0] }}"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: source
namespace: mutate-jmespath
labels:
kyverno.key/copy-me: sample-value
data:
data.yaml: |
some: data

9
test/conformance/kuttl/mutate/e2e/jmespath-logic/policy-one-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-policy
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

8
test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-mutated.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
kyverno.key/copy-from: source
kyverno.key/copy-me: sample-value
name: target
namespace: mutate-jmespath

8
test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two-mutated.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
kyverno.key/copy-from: source
kyverno.key/copy-me: sample-value
name: targettwo
namespace: mutate-jmespath

10
test/conformance/kuttl/mutate/e2e/jmespath-logic/resource-two.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: targettwo
namespace: mutate-jmespath
labels:
kyverno.key/copy-from: source
data:
data.yaml: |
some: data

10
test/conformance/kuttl/mutate/e2e/jmespath-logic/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: target
namespace: mutate-jmespath
labels:
kyverno.key/copy-from: source
data:
data.yaml: |
some: data

6
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-ready.yaml

6
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/02-resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource01.yaml
assert:
- resource01-mutated.yaml

6
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/03-resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource02.yaml
assert:
- resource02-mutated.yaml

11
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a migration from e2e. It tests for a combination of the global anchor plus the add-if-not-present anchor in a patchStrategicMerge mutate policy with two rules.
## Expected Behavior
Two tests are conducted. In the first, if a Pod contains an emptyDir volume, it should have an annotation added. In the second, the Pod has a hostPath volume and should also receive an annotation. If either one of these Pods does not have the annotation `cluster-autoscaler.kubernetes.io/safe-to-evict: "true"` added the test fails. If this annotation is present, the test passes.
## Reference Issue(s)
N/A

9
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-safe-to-evict
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

35
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-safe-to-evict
spec:
rules:
- name: annotate-empty-dir
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
metadata:
annotations:
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
spec:
volumes:
- <(emptyDir): {}
- name: annotate-host-path
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
metadata:
annotations:
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
spec:
volumes:
- hostPath:
<(path): "*"

7
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01-mutated.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-emptydir
namespace: default
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

17
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-emptydir
namespace: default
labels:
foo: bar
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}

7
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02-mutated.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-hostpath
namespace: default
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

19
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-hostpath
namespace: default
labels:
foo: bar
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /usr/share/nginx/html
name: test-volume
volumes:
- hostPath:
path: /var/local/aaa
type: DirectoryOrCreate
name: test-volume

6
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-ready.yaml

6
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/02-resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml
assert:
- resource-mutated.yaml

11
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a migrated test from e2e. It checks that the global anchor works in tandem with a patchStrategicMerge policy.
## Expected Behavior
If a container image is prefaced with `registry.corp.com` then it should be mutated to add an imagePullSecret named `regcred`. If this is done, the test passes. If this is not, the test fails.
## Reference Issue(s)
N/A

9
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: set-image-pull-secret
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

20
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/policy.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: set-image-pull-secret
spec:
background: false
rules:
- name: set-image-pull-secret
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
containers:
- <(image): "registry.corp.com/*"
imagePullSecrets:
- name: regcred

11
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource-mutated.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: default
spec:
containers:
- name: nginx
image: registry.corp.com/nginx:1.14.2
imagePullSecrets:
- name: regcred

9
test/conformance/kuttl/mutate/e2e/patchStrategicMerge-global/resource.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: default
spec:
containers:
- name: nginx
image: registry.corp.com/nginx:1.14.2

6
test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-ready.yaml

6
test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/02-resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml
assert:
- resource-mutated.yaml

11
test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a migrated test from e2e. It checks that a simple JSON patch `replace` operation works with a variable from AdmissionReview as a component of the `value` field.
## Expected Behavior
An Ingress's first rule should have the value of the `host` field appended to it `mycompany.com`. If this value has been replaced properly, the test passes. If not, the test fails.
## Reference Issue(s)
N/A

9
test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-ingress-host
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

17
test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/policy.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-ingress-host
spec:
rules:
- name: mutate-rules-host
match:
any:
- resources:
kinds:
- Ingress
mutate:
patchesJson6902: |-
- op: replace
path: /spec/rules/0/host
value: "{{request.object.spec.rules[0].host}}.mycompany.com"

22
test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource-mutated.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard-v1
namespace: default
labels:
app: kuard
spec:
rules:
- host: kuard.mycompany.com
http:
paths:
- backend:
service:
name: kuard
port:
number: 8080
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- kuard

22
test/conformance/kuttl/mutate/e2e/patchesJson6902-replace/resource.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard-v1
namespace: default
labels:
app: kuard
spec:
rules:
- host: kuard
http:
paths:
- backend:
service:
name: kuard
port:
number: 8080
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- kuard

6
test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-ready.yaml

6
test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/02-resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml
assert:
- resource-mutated.yaml

11
test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a migrated test from e2e. It checks that simple JSON patches function properly when mutating array slices.
## Expected Behavior
If the Pod has a second environment variable added with the name `K8S_IMAGE` with value equal to `docker.io/busybox:1.11` then the test succeeds. If it does not, the test fails. Note that there is an initContainer present which based upon the policy definition should NOT be mutated.
## Reference Issue(s)
N/A

9
test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-image-as-env-var
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

77
test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/policy.yaml Normal file
View file

@ -0,0 +1,77 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-image-as-env-var
# env array needs to exist (least one env var is present)
spec:
background: false
schemaValidation: false
rules:
# One Pod
- name: pod-containers-1-inject-image
match:
any:
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.object.spec.containers[] | length(@)}}"
operator: GreaterThanOrEquals
value: 1
mutate:
patchesJson6902: |-
- op: add
path: "/spec/containers/0/env/-"
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[0].image}}"}
# Two or more Pods
- name: pod-containers-2-inject-image
match:
any:
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.object.spec.containers[] | length(@)}}"
operator: GreaterThanOrEquals
value: 2
mutate:
patchesJson6902: |-
- op: add
path: "/spec/containers/1/env/-"
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[1].image}}"}
# Deployment with one Pod
- name: deploy-containers-1-inject-image
match:
any:
- resources:
kinds:
- Deployment
preconditions:
all:
- key: "{{request.object.spec.template.spec.containers[] | length(@)}}"
operator: GreaterThanOrEquals
value: 1
mutate:
patchesJson6902: |-
- op: add
path: "/spec/template/spec/containers/0/env/-"
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[0].image}}"}
# Deployment with two or more Pods
- name: deploy-containers-2-inject-image
match:
any:
- resources:
kinds:
- Deployment
preconditions:
all:
- key: "{{request.object.spec.template.spec.containers[] | length(@)}}"
operator: GreaterThanOrEquals
value: 2
mutate:
patchesJson6902: |-
- op: add
path: "/spec/template/spec/containers/1/env/-"
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[1].image}}"}

29
test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource-mutated.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: foo-patchesjson6902-simple
namespace: default
spec:
containers:
- command:
- sleep infinity
env:
- name: FOO
value: bar
- name: K8S_IMAGE
value: docker.io/busybox:1.11
image: busybox:1.11
name: busybox
securityContext:
capabilities:
drop:
- SETUID
initContainers:
- command:
- sleep infinity
image: nginx:1.14
name: nginx
securityContext:
capabilities:
drop:
- SETUID

27
test/conformance/kuttl/mutate/e2e/patchesjson6902-simple/resource.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: foo-patchesjson6902-simple
namespace: default
spec:
containers:
- command:
- sleep infinity
env:
- name: FOO
value: bar
image: busybox:1.11
name: busybox
securityContext:
capabilities:
drop:
- SETUID
initContainers:
- command:
- sleep infinity
image: nginx:1.14
name: nginx
securityContext:
capabilities:
drop:
- SETUID

6
test/conformance/kuttl/mutate/e2e/simple-conditional/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-ready.yaml

6
test/conformance/kuttl/mutate/e2e/simple-conditional/02-resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- pod1.yaml
assert:
- pod1-mutated.yaml

6
test/conformance/kuttl/mutate/e2e/simple-conditional/03-resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- pod2.yaml
assert:
- pod2-mutated.yaml

11
test/conformance/kuttl/mutate/e2e/simple-conditional/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a test migrated from e2e. It tests that simple conditional anchors (multiple) are working properly using a patchStrategicMerge mutation rule.
## Expected Behavior
For a Pod with only `containers[]`, the `securityContext.runAsNonRoot=true` should be written to each container as well as to the `spec`. For a Pod with an added `initContainers[]` entry, the same should occur for the initContainer as well. If both of these happen as expected, the test passes. If any one does not, the test fails.
## Reference Issue(s)
N/A

15
test/conformance/kuttl/mutate/e2e/simple-conditional/pod1-mutated.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
labels:
app: foo
name: foo
namespace: default
spec:
containers:
- image: abc:1.28
name: busybox
securityContext:
runAsNonRoot: true
securityContext:
runAsNonRoot: true

11
test/conformance/kuttl/mutate/e2e/simple-conditional/pod1.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: default
labels:
app: foo
spec:
containers:
- image: abc:1.28
name: busybox

20
test/conformance/kuttl/mutate/e2e/simple-conditional/pod2-mutated.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
labels:
app: foo
name: footwo
namespace: default
spec:
containers:
- image: abc:1.28
name: busybox
securityContext:
runAsNonRoot: true
initContainers:
- image: bcd:1.29
name: nginx
securityContext:
runAsNonRoot: true
securityContext:
runAsNonRoot: true

14
test/conformance/kuttl/mutate/e2e/simple-conditional/pod2.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: footwo
namespace: default
labels:
app: foo
spec:
containers:
- image: abc:1.28
name: busybox
initContainers:
- image: bcd:1.29
name: nginx

9
test/conformance/kuttl/mutate/e2e/simple-conditional/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: set-runasnonroot-true
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

25
test/conformance/kuttl/mutate/e2e/simple-conditional/policy.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: set-runasnonroot-true
spec:
rules:
- name: set-runasnonroot-true
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
securityContext:
runAsNonRoot: true
initContainers:
- (name): "*"
securityContext:
runAsNonRoot: true
containers:
- (name): "*"
securityContext:
runAsNonRoot: true

6
test/conformance/kuttl/mutate/e2e/variables-in-keys/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-ready.yaml

6
test/conformance/kuttl/mutate/e2e/variables-in-keys/02-resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml
assert:
- resource-mutated.yaml

11
test/conformance/kuttl/mutate/e2e/variables-in-keys/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a migrated test from e2e. It tests that variable substitution is occurring properly in the key of a patchStrategicMerge rule.
## Expected Behavior
The annotation `fluentbit.io/exclude-busybox: "true"` is expected to be written to the Deployment. If it is, the test passes. If it is not, the test fails.
## Reference Issue(s)
N/A

9
test/conformance/kuttl/mutate/e2e/variables-in-keys/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: structured-logs-sidecar
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

20
test/conformance/kuttl/mutate/e2e/variables-in-keys/policy.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: structured-logs-sidecar
spec:
background: false
rules:
- name: add-annotations
match:
any:
- resources:
kinds:
- Deployment
annotations:
structured-logs: "true"
mutate:
patchStrategicMerge:
metadata:
annotations:
"fluentbit.io/exclude-{{request.object.spec.template.spec.containers[0].name}}": "true"

45
test/conformance/kuttl/mutate/e2e/variables-in-keys/resource-mutated.yaml Normal file
View file

@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
namespace: default
annotations:
structured-logs: "true"
fluentbit.io/exclude-busybox: "true"
labels:
color: red
animal: bear
food: pizza
car: jeep
env: qa
spec:
replicas: 1
selector:
matchLabels:
app: busybox
template:
metadata:
labels:
app: busybox
spec:
containers:
- image: busybox:1.28
name: busybox
command: ["sleep", "9999"]
resources:
requests:
cpu: 100m
memory: 10Mi
limits:
cpu: 100m
memory: 10Mi
- image: busybox:1.28
name: busybox1
command: ["sleep", "9999"]
resources:
requests:
cpu: 100m
memory: 10Mi
limits:
cpu: 100m
memory: 20Mi

44
test/conformance/kuttl/mutate/e2e/variables-in-keys/resource.yaml Normal file
View file

@ -0,0 +1,44 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
namespace: default
annotations:
structured-logs: "true"
labels:
color: red
animal: bear
food: pizza
car: jeep
env: qa
spec:
replicas: 1
selector:
matchLabels:
app: busybox
template:
metadata:
labels:
app: busybox
spec:
containers:
- image: busybox:1.28
name: busybox
command: ["sleep", "9999"]
resources:
requests:
cpu: 100m
memory: 10Mi
limits:
cpu: 100m
memory: 10Mi
- image: busybox:1.28
name: busybox1
command: ["sleep", "9999"]
resources:
requests:
cpu: 100m
memory: 10Mi
limits:
cpu: 100m
memory: 20Mi