1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

test: add kuttl test for policy exception (#5935)

This commit is contained in:
Charles-Edouard Brétéché 2023-01-09 03:52:16 +01:00 committed by GitHub
parent e8e3f66c8b
commit 2c172b151c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 169 additions and 1 deletions

View file

@ -59,7 +59,7 @@ HELM_DOCS_VERSION := v1.11.0
KO := $(TOOLS_DIR)/ko
KO_VERSION := main #e93dbee8540f28c45ec9a2b8aec5ef8e43123966
KUTTL := $(TOOLS_DIR)/kubectl-kuttl
KUTTL_VERSION := v0.0.0-20221129212128-ae4a56e607a7
KUTTL_VERSION := v0.0.0-20230108220859-ef8d83c89156
TOOLS := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) $(KUTTL)
ifeq ($(GOOS), darwin)
SED := gsed

View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- exception.yaml

View file

@ -0,0 +1,10 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: configmap-allowed.yaml
- file: configmap-rejected.yaml
shouldFail: true
assert:
- configmap-allowed.yaml
error:
- configmap-rejected.yaml

View file

@ -0,0 +1,13 @@
## Description
This test creates a policy, a policy exception and tries to create a couple configmaps.
The policy exception is configured to apply only to the `emergency` configmap.
The `emergency` configmap is expected to create fine while other configmaps creations should fail.
## Steps
1. - Create a cluster policy
- Assert the policy becomes ready
1. - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency`
1. - Try to create a confimap named `emergency`, expecting the creation to succeed
- Try to create a confimap named `foo`, expecting the creation to fail

View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: emergency

View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: foo

View file

@ -0,0 +1,16 @@
apiVersion: kyverno.io/v2alpha1
kind: PolicyException
metadata:
name: mynewpolex
spec:
exceptions:
- policyName: require-labels
ruleNames:
- require-team
match:
any:
- resources:
kinds:
- ConfigMap
names:
- emergency

View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
background: false
rules:
- name: require-team
match:
any:
- resources:
kinds:
- ConfigMap
validate:
message: 'The label `team` is required.'
pattern:
metadata:
labels:
team: '?*'

View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- exception.yaml

View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: configmap.yaml
shouldFail: true

View file

@ -0,0 +1,15 @@
## Description
This test creates a policy, a policy exception and tries to create a configmap that violates the policy.
The exception should not apply as it is for a specific user and the configmap creation is expected to be rejected.
## Steps
1. - Create a cluster policy
- Assert the policy becomes ready
1. - Create a policy exception for the cluster policy created above but for a specific user
1. - Try to create a confimap, expecting the creation to fail
## Reference Issue(s)
5930

View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: emergency

View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v2alpha1
kind: PolicyException
metadata:
name: mynewpolex
spec:
exceptions:
- policyName: require-labels
ruleNames:
- require-team
match:
any:
- resources:
kinds:
- ConfigMap
names:
- emergency
subjects:
- kind: User
name: chip

View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
background: false
rules:
- name: require-team
match:
any:
- resources:
kinds:
- ConfigMap
validate:
message: 'The label `team` is required.'
pattern:
metadata:
labels:
team: '?*'