test: add kuttl test for policy exception (#5935)

2025-03-28 10:28:36 +00:00 · 2023-01-09 03:52:16 +01:00 · 2023-01-09 03:52:16 +01:00 · 2c172b151c
commit 2c172b151c
parent e8e3f66c8b
18 changed files with 169 additions and 1 deletions
--- a/2
+++ b/2
@ -59,7 +59,7 @@ HELM_DOCS_VERSION                  := v1.11.0
 KO                                 := $(TOOLS_DIR)/ko
 KO_VERSION                         := main #e93dbee8540f28c45ec9a2b8aec5ef8e43123966
 KUTTL                              := $(TOOLS_DIR)/kubectl-kuttl
-KUTTL_VERSION                      := v0.0.0-20221129212128-ae4a56e607a7
+KUTTL_VERSION                      := v0.0.0-20230108220859-ef8d83c89156
 TOOLS                              := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) $(KUTTL)
 ifeq ($(GOOS), darwin)
 SED                                := gsed
--- a/test/conformance/kuttl/exceptions/allows-rejects-creation/01-policy.yaml
+++ b/test/conformance/kuttl/exceptions/allows-rejects-creation/01-policy.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
--- a/test/conformance/kuttl/exceptions/allows-rejects-creation/02-exception.yaml
+++ b/test/conformance/kuttl/exceptions/allows-rejects-creation/02-exception.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- exception.yaml
--- a/test/conformance/kuttl/exceptions/allows-rejects-creation/03-configmap.yaml
+++ b/test/conformance/kuttl/exceptions/allows-rejects-creation/03-configmap.yaml
@ -0,0 +1,10 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: configmap-allowed.yaml
+- file: configmap-rejected.yaml
+  shouldFail: true
+assert:
+- configmap-allowed.yaml
+error:
+- configmap-rejected.yaml
--- a/test/conformance/kuttl/exceptions/allows-rejects-creation/README.md
+++ b/test/conformance/kuttl/exceptions/allows-rejects-creation/README.md
@ -0,0 +1,13 @@
+## Description
+
+This test creates a policy, a policy exception and tries to create a couple configmaps.
+The policy exception is configured to apply only to the `emergency` configmap.
+The `emergency` configmap is expected to create fine while other configmaps creations should fail.
+
+## Steps
+
+1.  - Create a cluster policy
+    - Assert the policy becomes ready
+1.  - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency`
+1.  - Try to create a confimap named `emergency`, expecting the creation to succeed
+    - Try to create a confimap named `foo`, expecting the creation to fail
--- a/test/conformance/kuttl/exceptions/allows-rejects-creation/configmap-allowed.yaml
+++ b/test/conformance/kuttl/exceptions/allows-rejects-creation/configmap-allowed.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: emergency
--- a/test/conformance/kuttl/exceptions/allows-rejects-creation/configmap-rejected.yaml
+++ b/test/conformance/kuttl/exceptions/allows-rejects-creation/configmap-rejected.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: foo
--- a/test/conformance/kuttl/exceptions/allows-rejects-creation/exception.yaml
+++ b/test/conformance/kuttl/exceptions/allows-rejects-creation/exception.yaml
@ -0,0 +1,16 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: mynewpolex
+spec:
+  exceptions:
+    - policyName: require-labels
+      ruleNames:
+        - require-team
+  match:
+    any:
+      - resources:
+          kinds:
+            - ConfigMap
+          names:
+            - emergency
--- a/test/conformance/kuttl/exceptions/allows-rejects-creation/policy-assert.yaml
+++ b/test/conformance/kuttl/exceptions/allows-rejects-creation/policy-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/exceptions/allows-rejects-creation/policy.yaml
+++ b/test/conformance/kuttl/exceptions/allows-rejects-creation/policy.yaml
@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: require-team
+      match:
+        any:
+          - resources:
+              kinds:
+                - ConfigMap
+      validate:
+        message: 'The label `team` is required.'
+        pattern:
+          metadata:
+            labels:
+              team: '?*'
--- a/test/conformance/kuttl/exceptions/only-for-specific-user/01-policy.yaml
+++ b/test/conformance/kuttl/exceptions/only-for-specific-user/01-policy.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
--- a/test/conformance/kuttl/exceptions/only-for-specific-user/02-exception.yaml
+++ b/test/conformance/kuttl/exceptions/only-for-specific-user/02-exception.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- exception.yaml
--- a/test/conformance/kuttl/exceptions/only-for-specific-user/03-configmap.yaml
+++ b/test/conformance/kuttl/exceptions/only-for-specific-user/03-configmap.yaml
@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: configmap.yaml
+  shouldFail: true
--- a/test/conformance/kuttl/exceptions/only-for-specific-user/README.md
+++ b/test/conformance/kuttl/exceptions/only-for-specific-user/README.md
@ -0,0 +1,15 @@
+## Description
+
+This test creates a policy, a policy exception and tries to create a configmap that violates the policy.
+The exception should not apply as it is for a specific user and the configmap creation is expected to be rejected.
+
+## Steps
+
+1.  - Create a cluster policy
+    - Assert the policy becomes ready
+1.  - Create a policy exception for the cluster policy created above but for a specific user
+1.  - Try to create a confimap, expecting the creation to fail
+
+## Reference Issue(s)
+
+5930
--- a/test/conformance/kuttl/exceptions/only-for-specific-user/configmap.yaml
+++ b/test/conformance/kuttl/exceptions/only-for-specific-user/configmap.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: emergency
--- a/test/conformance/kuttl/exceptions/only-for-specific-user/exception.yaml
+++ b/test/conformance/kuttl/exceptions/only-for-specific-user/exception.yaml
@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: mynewpolex
+spec:
+  exceptions:
+    - policyName: require-labels
+      ruleNames:
+        - require-team
+  match:
+    any:
+      - resources:
+          kinds:
+            - ConfigMap
+          names:
+            - emergency
+        subjects:
+          - kind: User
+            name: chip
--- a/test/conformance/kuttl/exceptions/only-for-specific-user/policy-assert.yaml
+++ b/test/conformance/kuttl/exceptions/only-for-specific-user/policy-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/exceptions/only-for-specific-user/policy.yaml
+++ b/test/conformance/kuttl/exceptions/only-for-specific-user/policy.yaml
@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: require-team
+      match:
+        any:
+          - resources:
+              kinds:
+                - ConfigMap
+      validate:
+        message: 'The label `team` is required.'
+        pattern:
+          metadata:
+            labels:
+              team: '?*'