Merge branch 'best_practice_policies' of https://github.com/nirmata/kyverno into best_practice_policies

examples/best_practices/resources/resource_validate_fsgroup.yaml

@@ -5,6 +5,8 @@ metadata:
 spec:
   securityContext:
     fsGroup: 2000                           # directory will have group ID 2000
+    runAsUser: 1000
+    runAsGroup: 3000
   volumes:
   - name: fsgroup-demo-vol
     emptyDir: {}

pkg/testrunner/scenario.go

@@ -137,8 +137,16 @@ func runTestCase(t *testing.T, tc scaseT) bool {
 	// apply policy
 	// convert policy -> kyverno.Policy
 	policy := loadPolicy(t, tc.Input.Policy)
+	if policy == nil {
+		t.Error("Policy no loaded")
+		t.FailNow()
+	}
 	// convert resource -> unstructured.Unstructured
 	resource := loadPolicyResource(t, tc.Input.Resource)
+	if resource == nil {
+		t.Error("Resources no loaded")
+		t.FailNow()
+	}
 
 	var er engine.EngineResponse
 	// Mutation

pkg/testrunner/testrunner_test.go

@@ -52,14 +52,6 @@ func Test_validate_image_latest_ifnotpresent_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml")
 }
 
-// func Test_validate_image_tag_notspecified_deny(t *testing.T) {
-// 	testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml")
-// }
-
-// func Test_validate_image_tag_notspecified_pass(t *testing.T) {
-// 	testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml")
-// }
-
 func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml")
 }
@@ -113,7 +105,7 @@ func Test_validate_disallow_default_serviceaccount(t *testing.T) {
 }
 
 func Test_validate_fsgroup(t *testing.T) {
-	// testScenario(t, "test/scenarios/test/scenario_validate_fsgroup.yaml")
+	testScenario(t, "test/scenarios/test/scenario_validate_fsgroup.yaml")
 }
 
 func Test_validate_selinux_context(t *testing.T) {
@@ -125,11 +117,11 @@ func Test_validate_proc_mount(t *testing.T) {
 }
 
 func Test_validate_container_capabilities(t *testing.T) {
-	// testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml")
+	testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml")
 }
 
 func Test_validate_disallow_sysctl(t *testing.T) {
-	// testScenario(t, "test/scenarios/test/scenario_validate_sysctl_configs.yaml")
+	testScenario(t, "test/scenarios/test/scenario_validate_sysctl_configs.yaml")
 }
 
 func Test_validate_volume_whitelist(t *testing.T) {

samples/additional/policy_validate_user_group_fsgroup_id.yaml

@@ -14,7 +14,7 @@ spec:
       pattern:
         spec:
           securityContext:
-            runAsUser: 1000
+            runAsUser: '1000'
   - name: validate-groupid
     match:
       resources:
@@ -25,18 +25,18 @@ spec:
       pattern:
         spec:
           securityContext:
-            runAsGroup: 3000
+            runAsGroup: '3000'
   - name: validate-fsgroup
     match:
       resources:
         kinds:
         - Pod
     validate:
-      message: "fsgroup should be 3000"
+      message: "fsgroup should be 2000"
       pattern:
         spec:
           securityContext:
-            fsGroup: 2000
+            fsGroup: '2000'
 # Alls processes inside the pod can be made to run with specific user and groupID by setting runAsUser and runAsGroup respectively.
 # fsGroup can be specified to make sure any file created in the volume with have the specified groupID.
 # The above parameters can also be used in a validate policy to restrict user & group IDs.

test/scenarios/test/scenario_validate_container_capabilities.yaml

@@ -1,7 +1,7 @@
 
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_validate_container_capabilities.yaml
+  policy: samples/additional/policy_validate_container_capabilities.yaml
   resource: examples/best_practices/resources/resource_validate_container_capabilities.yaml
 expected:
   validation:

test/scenarios/test/scenario_validate_fsgroup.yaml

@@ -1,19 +1,27 @@
 
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_validate_fsgroup.yaml
+  policy: samples/additional/policy_validate_user_group_fsgroup_id.yaml
   resource: examples/best_practices/resources/resource_validate_fsgroup.yaml
 expected:
   validation:
     policyresponse:
-      policy: validate-fsgroup
+      policy: validate-userid-groupid-fsgroup
       resource:
         kind: Pod
         apiVersion: v1
         namespace: ''
         name: fsgroup-demo
       rules:
+        - name: validate-userid
+          type: Validation
+          message: Validation rule 'validate-userid' succesfully validated
+          success: true
+        - name: validate-groupid
+          type: Validation
+          message: Validation rule 'validate-groupid' succesfully validated
+          success: true
         - name: validate-fsgroup
           type: Validation
-          message: "Validation rule 'validate-fsgroup' failed at '/spec/securityContext/fsGroup/' for resource Pod//fsgroup-demo. directory should have group ID 2000"
+          message: Validation rule 'validate-fsgroup' succesfully validated
-          success: false
+          success: true

test/scenarios/test/scenario_validate_sysctl_configs.yaml

@@ -1,7 +1,7 @@
 
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_validate_sysctl_configs.yaml
+  policy: samples/additional/policy_validate_sysctl_configs.yaml
   resource: examples/best_practices/resources/resource_validate_sysctl_configs.yaml
 expected:
   validation: