mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
test: add kuttl test for policy exception (#5935)
This commit is contained in:
parent
e8e3f66c8b
commit
2c172b151c
18 changed files with 169 additions and 1 deletions
2
Makefile
2
Makefile
|
@ -59,7 +59,7 @@ HELM_DOCS_VERSION := v1.11.0
|
|||
KO := $(TOOLS_DIR)/ko
|
||||
KO_VERSION := main #e93dbee8540f28c45ec9a2b8aec5ef8e43123966
|
||||
KUTTL := $(TOOLS_DIR)/kubectl-kuttl
|
||||
KUTTL_VERSION := v0.0.0-20221129212128-ae4a56e607a7
|
||||
KUTTL_VERSION := v0.0.0-20230108220859-ef8d83c89156
|
||||
TOOLS := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) $(KUTTL)
|
||||
ifeq ($(GOOS), darwin)
|
||||
SED := gsed
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-assert.yaml
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- exception.yaml
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- file: configmap-allowed.yaml
|
||||
- file: configmap-rejected.yaml
|
||||
shouldFail: true
|
||||
assert:
|
||||
- configmap-allowed.yaml
|
||||
error:
|
||||
- configmap-rejected.yaml
|
|
@ -0,0 +1,13 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy, a policy exception and tries to create a couple configmaps.
|
||||
The policy exception is configured to apply only to the `emergency` configmap.
|
||||
The `emergency` configmap is expected to create fine while other configmaps creations should fail.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency`
|
||||
1. - Try to create a confimap named `emergency`, expecting the creation to succeed
|
||||
- Try to create a confimap named `foo`, expecting the creation to fail
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: emergency
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: foo
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: kyverno.io/v2alpha1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: mynewpolex
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: require-labels
|
||||
ruleNames:
|
||||
- require-team
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
names:
|
||||
- emergency
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-labels
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-labels
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
- name: require-team
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
validate:
|
||||
message: 'The label `team` is required.'
|
||||
pattern:
|
||||
metadata:
|
||||
labels:
|
||||
team: '?*'
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-assert.yaml
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- exception.yaml
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- file: configmap.yaml
|
||||
shouldFail: true
|
|
@ -0,0 +1,15 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy, a policy exception and tries to create a configmap that violates the policy.
|
||||
The exception should not apply as it is for a specific user and the configmap creation is expected to be rejected.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above but for a specific user
|
||||
1. - Try to create a confimap, expecting the creation to fail
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
5930
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: emergency
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: kyverno.io/v2alpha1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: mynewpolex
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: require-labels
|
||||
ruleNames:
|
||||
- require-team
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
names:
|
||||
- emergency
|
||||
subjects:
|
||||
- kind: User
|
||||
name: chip
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-labels
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-labels
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
- name: require-team
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
validate:
|
||||
message: 'The label `team` is required.'
|
||||
pattern:
|
||||
metadata:
|
||||
labels:
|
||||
team: '?*'
|
Loading…
Add table
Reference in a new issue