mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

feat: add chainsaw tests for validate policies (#10544)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-06-26 18:39:54 +08:00 committed by GitHub
parent e900abf3a0
commit 340009f55f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
129 changed files with 3360 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
test/conformance/chainsaw/validate/anchors/conditional(deprecated)/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,39 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: conditional-anchor
spec:
steps:
- name: apply-namespace
try:
- apply:
file: namespace.yaml
- name: apply-policy
try:
- apply:
file: policy.yaml
- assert:
file: policy-ready.yaml
- name: apply-labelled-resource
try:
- apply:
file: labelled-resource.yaml
- name: apply-unlabelled-resource
try:
- apply:
file: unlabelled-resource.yaml
- name: apply-scaling
try:
- script:
content:
"if kubectl -n test-anchors scale deployment labelled-deployment --replicas 2\nthen
\n exit 0\nelse \n exit 1\nfi\n"
- script:
content:
"if kubectl -n test-anchors scale deployment labelled-deployment --replicas 9\nthen
\n exit 1\nelse \n exit 0\nfi\n"
- script:
content:
"if kubectl -n test-anchors scale deployment unlabelled-deployment --replicas 9\nthen
\n exit 0\nelse \n exit 1\nfi\n"

24
test/conformance/chainsaw/validate/anchors/conditional(deprecated)/labelled-resource.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: busybox
type: monitoring
name: labelled-deployment
namespace: test-anchors
spec:
replicas: 1
selector:
matchLabels:
app: busybox
type: monitoring
strategy: {}
template:
metadata:
labels:
app: busybox
type: monitoring
spec:
containers:
- name: busybox
image: busybox:1.35

4
test/conformance/chainsaw/validate/anchors/conditional(deprecated)/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-anchors

9
test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-scale
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

38
test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: restrict-scale
annotations:
policies.kyverno.io/title: Restrict Scale
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.9.0
policies.kyverno.io/minversion: 1.9.0
kyverno.io/kubernetes-version: "1.24"
policies.kyverno.io/subject: Deployment
policies.kyverno.io/description: >-
Pod controllers such as Deployments which implement replicas and permit the scale action
use a `/scale` subresource to control this behavior. In addition to checks for creations of
such controllers that their replica is in a certain shape, the scale operation and subresource
needs to be accounted for as well. This policy, operable beginning in Kyverno 1.9, is a collection
of rules which can be used to limit the replica count both upon creation of a Deployment and
when a scale operation is performed.
spec:
validationFailureAction: Enforce
background: false
rules:
# This rule can be used to limit scale operations based upon Deployment labels assuming the given label
# is also used as a selector.
- name: scale-max-eight
match:
any:
- resources:
kinds:
- Deployment/scale
validate:
message: The replica count for this Deployment may not exceed 8.
pattern:
(status):
(selector): "*type=monitoring*"
spec:
replicas: <9

21
test/conformance/chainsaw/validate/anchors/conditional(deprecated)/unlabelled-resource.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: busybox
name: unlabelled-deployment
namespace: test-anchors
spec:
replicas: 1
selector:
matchLabels:
app: busybox
strategy: {}
template:
metadata:
labels:
app: busybox
spec:
containers:
- name: busybox
image: busybox:1.35

2
test/conformance/chainsaw/validate/anchors/conditional/policy.yaml
View file

@ -18,7 +18,6 @@ metadata:
of rules which can be used to limit the replica count both upon creation of a Deployment and
when a scale operation is performed.
spec:
validationFailureAction: Enforce
background: false
rules:
# This rule can be used to limit scale operations based upon Deployment labels assuming the given label
@ -30,6 +29,7 @@ spec:
kinds:
- Deployment/scale
validate:
validationFailureAction: Enforce
message: The replica count for this Deployment may not exceed 8.
pattern:
(status):

11
test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test ensures the policy is applied on the resource to be deleted (deletionTimestamp is set).
## Expected Behavior
With a bogus finalizer added to the service, the resource deletion is blocked as no controller serves behind to perform deletion. During this time, when one tries to patch the service that violates the policy, the patch request should be blocked. While if the patch doesn't result in an violation it should be allowed.
## Reference Issue(s)
N/A

26
test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-step-05-apply-1-1.yaml Executable file
View file

@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
labels:
name: podinfo
namespace: apply-on-deletion-ns
name: podinfo
namespace: apply-on-deletion-ns
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 9898
protocol: TCP
targetPort: http
- name: grpc
port: 9999
protocol: TCP
targetPort: grpc
selector:
app: podinfo
sessionAffinity: None
type: ClusterIP

43
test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,43 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: apply-on-deletion
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-ready.yaml
- name: step-02
try:
- apply:
file: ns.yaml
- apply:
file: service.yaml
- assert:
file: service.yaml
- name: step-03
try:
- script:
content: |
kubectl patch service podinfo -p '{"metadata":{"finalizers":["bburky.com/hax"]}}' -n apply-on-deletion-ns
kubectl delete service podinfo --wait=false -n apply-on-deletion-ns
- name: step-04
try:
- script:
content: "if kubectl patch service podinfo -p '{\"spec\":{\"type\":\"NodePort\",\"ports\":[{\"port\":9898,\"nodePort\":32000}]}}'
-n apply-on-deletion-ns\nthen \n echo \"Tested failed. The service type
cannot be changed to NodePort\"\n exit 1 \nelse \n echo \"Test succeeded.
The service update is blocked\"\n exit 0\nfi\n"
- name: step-05
try:
- apply:
file: chainsaw-step-05-apply-1-1.yaml
- name: step-06
try:
- script:
content: |
kubectl patch service podinfo -p '{"metadata":{"finalizers":null}}' -n apply-on-deletion-ns

4
test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/ns.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: apply-on-deletion-ns

9
test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cpol-apply-on-deletion
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

19
test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cpol-apply-on-deletion
spec:
validationFailureAction: Enforce
background: true
rules:
- name: validate-nodeport
match:
any:
- resources:
kinds:
- Service
validate:
message: "Services of type NodePort are not allowed."
pattern:
spec:
=(type): "!NodePort"

23
test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/service.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: podinfo
namespace: apply-on-deletion-ns
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 9898
protocol: TCP
targetPort: http
- name: grpc
port: 9999
protocol: TCP
targetPort: grpc
selector:
app: podinfo
sessionAffinity: None
type: ClusterIP

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: cpol-apply-on-deletion
spec:
validationFailureAction: Enforce
background: true
rules:
- name: validate-nodeport
@ -13,6 +12,7 @@ spec:
kinds:
- Service
validate:
validationFailureAction: Enforce
message: "Services of type NodePort are not allowed."
pattern:
spec:

11
test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test creates a policy that uses CEL expressions to disallow host ports in pods.
## Expected Behavior
The pod `pod-fail` is blocked, and a message is displayed indicating the reason of failure.
## Reference Issue(s)
8826

20
test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,20 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: cel-messages-upon-resource-failure
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- script:
content: kubectl apply -f pod-fail.yaml
check:
# This check below ensures that the string 'hostPort must either be unset or set to 0' is found in stderr or else fails
(contains($stderr, 'hostPort must either be unset or set to 0')): true

11
test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/pod-fail.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: webserver-pod
spec:
containers:
- name: webserver
image: nginx:latest
ports:
- hostPort: 80
containerPort: 8080

9
test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-port-in-pods
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

21
test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-port-in-pods
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: Enforce
background: false
rules:
- name: host-port-pods
match:
any:
- resources:
kinds:
- Pod
validate:
message: "hostPort must either be unset or set to 0"
cel:
expressions:
- expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))"

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml
View file

@ -5,7 +5,6 @@ metadata:
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: Enforce
background: false
rules:
- name: host-port-pods
@ -15,6 +14,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
message: "hostPort must either be unset or set to 0"
cel:
expressions:

11
test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test ensures that the policies that are skipped because of preconditions aren't included in admission requests denial responses
## Expected Behavior
The resource will be blocked because it violates the `require-ns-owner-label` policy. As a result, its message will only be displayed.
## Reference Issue(s)
#9502

35
test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: check-message-upon-resource-failure
spec:
steps:
- name: step-01
try:
- apply:
file: policy-1.yaml
- assert:
file: policy-assert1.yaml
- name: step-02
try:
- apply:
file: policy-2.yaml
- assert:
file: policy-assert2.yaml
- name: step-03
try:
- script:
content: kubectl apply -f resource.yaml
check:
# This check ensures the contents of stderr are exactly as shown.
($stderr): |-
Error from server: error when creating "resource.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Namespace//asdfhl was blocked due to the following policies
require-ns-owner-label:
check-for-namespace-owner-label: 'validation error: The label `uw.systems/owner`
is required. Check policy at https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml
for allowed label values. rule check-for-namespace-owner-label failed at path
/metadata/labels/uw.systems/owner/'

46
test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-1.yaml Normal file
View file

@ -0,0 +1,46 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-ns-owner-label
spec:
validationFailureAction: Enforce
background: false
rules:
- name: check-for-namespace-owner-label
match:
any:
- resources:
kinds:
- Namespace
validate:
message: >-
The label `uw.systems/owner` is required. Check policy at
https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml
for allowed label values.
pattern:
metadata:
labels:
uw.systems/owner: >-
account-platform
|bill
|billing
|btg-operations
|btg-security
|cbc
|contact-channels
|crm
|customer
|customer-platform
|customer-support
|data
|data-infra
|dev-enablement
|digital-support
|energy
|iam
|insurance
|partner
|payment
|system
|telecom
|unicom

28
test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-2.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: preconditions-check
spec:
validationFailureAction: Enforce
background: false
rules:
- name: check-label
match:
any:
- resources:
kinds:
- Namespace
preconditions:
all:
- key: "{{ request.object.metadata.annotations.foo || '' }}"
operator: Equals
value: foo
validate:
message: >-
The label `uw.systems/owner` is required. Check policy at
https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml
for allowed label values.
pattern:
metadata:
labels:
uw.systems/foo: bar

9
test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert1.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-ns-owner-label
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

9
test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert2.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: preconditions-check
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

8
test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/resource.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: asdfhl
labels:
app-type: corp
annotations:
cloud.platformzero.com/serviceClass: "xl2"

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: require-ns-owner-label
spec:
validationFailureAction: Enforce
background: false
rules:
- name: check-for-namespace-owner-label
@ -13,6 +12,7 @@ spec:
kinds:
- Namespace
validate:
validationFailureAction: Enforce
message: >-
The label `uw.systems/owner` is required. Check policy at
https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: preconditions-check
spec:
validationFailureAction: Enforce
background: false
rules:
- name: check-label
@ -18,6 +17,7 @@ spec:
operator: Equals
value: foo
validate:
validationFailureAction: Enforce
message: >-
The label `uw.systems/owner` is required. Check policy at
https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml

11
test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test ensures that Kyverno is able to perform basic validation functions against ephemeral containers.
## Expected Behavior
The initial Pod should be successfully created. An ephemeral container, added via the `kubectl debug` imperative command, should be allowed because it does not violate the policy. If the ephemeral container is added, the test passes. If the debug is blocked, the test fails.
## Reference Issue(s)
6943

12
test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-step-04-apply-1-1.yaml Executable file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: default
spec:
containers:
- image: bar.io/busybox:1.35
name: busybox
ephemeralContainers:
- image: bar.io/busybox:1.35
name: debugger

35
test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,35 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: ephemeral-containers
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-ready.yaml
- name: step-02
try:
- apply:
file: resource.yaml
- assert:
file: resource-assert.yaml
- name: step-03
try:
- command:
args:
- debug
- --image=bar.io/busybox:1.35
- -c
- debugger
- mypod
- -n
- default
entrypoint: kubectl
- name: step-04
try:
- apply:
file: chainsaw-step-04-apply-1-1.yaml

9
test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-image-registries
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

24
test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-image-registries
spec:
validationFailureAction: Enforce
background: false
rules:
- name: validate-registries
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Unknown image registry."
pattern:
spec:
=(ephemeralContainers):
- image: "eu.foo.io/* | bar.io/*"
=(initContainers):
- image: "eu.foo.io/* | bar.io/*"
containers:
- image: "eu.foo.io/* | bar.io/*"

5
test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource-assert.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: default

12
test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
labels:
app: busybox
name: mypod
namespace: default
spec:
automountServiceAccountToken: false
containers:
- name: busybox
image: bar.io/busybox:1.35

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: restrict-image-registries
spec:
validationFailureAction: Enforce
background: false
rules:
- name: validate-registries
@ -13,6 +12,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
message: "Unknown image registry."
pattern:
spec:

23
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/README.md Normal file
View file

@ -0,0 +1,23 @@
## Description
Tests the ability to create both a ClusterPolicy and a Policy when there is an external API provider registered in the cluster but with no resources which fall under that group.
## Expected Behavior
Both ClusterPolicy and Policy should be successfully created.
## Reference Issue(s)
918
942
1324
1325
1490
1830
2126
2162
2267
2684
3244
3788
5221

25
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,25 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: external-metrics
spec:
steps:
- name: step-00
try:
- apply:
file: keda.yaml
- assert:
file: keda-ready.yaml
- name: step-01
try:
- apply:
file: cluster-policy.yaml
- assert:
file: cluster-policy-ready.yaml
- name: step-02
try:
- apply:
file: policy.yaml
- assert:
file: policy-ready.yaml

9
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: external-metrics-policy
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

30
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: external-metrics-policy
spec:
validationFailureAction: Enforce
background: false
rules:
- name: external-metrics-rule
match:
all:
- clusterRoles:
- evil-cr
resources:
kinds:
- Secret
validate:
message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.'
deny:
conditions:
any:
- key: '{{request.operation}}'
operator: Equals
value: DELETE
- key: '{{request.operation}}'
operator: Equals
value: UPDATE
- key: '{{request.operation}}'
operator: Equals
value: CREATE

19
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda-ready.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: keda-metrics-apiserver
namespace: keda
status:
availableReplicas: 1
readyReplicas: 1
replicas: 1
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: scaledobjects.keda.sh
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1beta1.external.metrics.k8s.io

768
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda.yaml Normal file
View file

@ -0,0 +1,768 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: keda
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.0
labels:
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: scaledobjects.keda.sh
spec:
group: keda.sh
names:
kind: ScaledObject
listKind: ScaledObjectList
plural: scaledobjects
shortNames:
- so
singular: scaledobject
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.scaleTargetKind
name: ScaleTargetKind
type: string
- jsonPath: .spec.scaleTargetRef.name
name: ScaleTargetName
type: string
- jsonPath: .spec.minReplicaCount
name: Min
type: integer
- jsonPath: .spec.maxReplicaCount
name: Max
type: integer
- jsonPath: .spec.triggers[*].type
name: Triggers
type: string
- jsonPath: .spec.triggers[*].authenticationRef.name
name: Authentication
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .status.conditions[?(@.type=="Active")].status
name: Active
type: string
- jsonPath: .status.conditions[?(@.type=="Fallback")].status
name: Fallback
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ScaledObject is a specification for a ScaledObject resource
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ScaledObjectSpec is the spec for a ScaledObject resource
properties:
advanced:
description: AdvancedConfig specifies advance scaling options
properties:
horizontalPodAutoscalerConfig:
description: HorizontalPodAutoscalerConfig specifies horizontal
scale config
properties:
behavior:
description: HorizontalPodAutoscalerBehavior configures the
scaling behavior of the target in both Up and Down directions
(scaleUp and scaleDown fields respectively).
properties:
scaleDown:
description: scaleDown is scaling policy for scaling Down.
If not set, the default value is to allow to scale down
to minReplicas pods, with a 300 second stabilization
window (i.e., the highest recommendation for the last
300sec is used).
properties:
policies:
description: policies is a list of potential scaling
polices which can be used during scaling. At least
one policy must be specified, otherwise the HPAScalingRules
will be discarded as invalid
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past interval.
properties:
periodSeconds:
description: PeriodSeconds specifies the window
of time for which the policy should hold true.
PeriodSeconds must be greater than zero and
less than or equal to 1800 (30 min).
format: int32
type: integer
type:
description: Type is used to specify the scaling
policy.
type: string
value:
description: Value contains the amount of change
which is permitted by the policy. It must
be greater than zero
format: int32
type: integer
required:
- periodSeconds
- type
- value
type: object
type: array
selectPolicy:
description: selectPolicy is used to specify which
policy should be used. If not set, the default value
MaxPolicySelect is used.
type: string
stabilizationWindowSeconds:
description: 'StabilizationWindowSeconds is the number
of seconds for which past recommendations should
be considered while scaling up or scaling down.
StabilizationWindowSeconds must be greater than
or equal to zero and less than or equal to 3600
(one hour). If not set, use the default values:
- For scale up: 0 (i.e. no stabilization is done).
- For scale down: 300 (i.e. the stabilization window
is 300 seconds long).'
format: int32
type: integer
type: object
scaleUp:
description: 'scaleUp is scaling policy for scaling Up.
If not set, the default value is the higher of: * increase
no more than 4 pods per 60 seconds * double the number
of pods per 60 seconds No stabilization is used.'
properties:
policies:
description: policies is a list of potential scaling
polices which can be used during scaling. At least
one policy must be specified, otherwise the HPAScalingRules
will be discarded as invalid
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past interval.
properties:
periodSeconds:
description: PeriodSeconds specifies the window
of time for which the policy should hold true.
PeriodSeconds must be greater than zero and
less than or equal to 1800 (30 min).
format: int32
type: integer
type:
description: Type is used to specify the scaling
policy.
type: string
value:
description: Value contains the amount of change
which is permitted by the policy. It must
be greater than zero
format: int32
type: integer
required:
- periodSeconds
- type
- value
type: object
type: array
selectPolicy:
description: selectPolicy is used to specify which
policy should be used. If not set, the default value
MaxPolicySelect is used.
type: string
stabilizationWindowSeconds:
description: 'StabilizationWindowSeconds is the number
of seconds for which past recommendations should
be considered while scaling up or scaling down.
StabilizationWindowSeconds must be greater than
or equal to zero and less than or equal to 3600
(one hour). If not set, use the default values:
- For scale up: 0 (i.e. no stabilization is done).
- For scale down: 300 (i.e. the stabilization window
is 300 seconds long).'
format: int32
type: integer
type: object
type: object
name:
type: string
type: object
restoreToOriginalReplicaCount:
type: boolean
type: object
cooldownPeriod:
format: int32
type: integer
fallback:
description: Fallback is the spec for fallback options
properties:
failureThreshold:
format: int32
type: integer
replicas:
format: int32
type: integer
required:
- failureThreshold
- replicas
type: object
idleReplicaCount:
format: int32
type: integer
maxReplicaCount:
format: int32
type: integer
minReplicaCount:
format: int32
type: integer
pollingInterval:
format: int32
type: integer
scaleTargetRef:
description: ScaleTarget holds the a reference to the scale target
Object
properties:
apiVersion:
type: string
envSourceContainerName:
type: string
kind:
type: string
name:
type: string
required:
- name
type: object
triggers:
items:
description: ScaleTriggers reference the scaler that will be used
properties:
authenticationRef:
description: ScaledObjectAuthRef points to the TriggerAuthentication
or ClusterTriggerAuthentication object that is used to authenticate
the scaler with the environment
properties:
kind:
description: Kind of the resource being referred to. Defaults
to TriggerAuthentication.
type: string
name:
type: string
required:
- name
type: object
metadata:
additionalProperties:
type: string
type: object
metricType:
description: MetricTargetType specifies the type of metric being
targeted, and should be either "Value", "AverageValue", or
"Utilization"
type: string
name:
type: string
type:
type: string
required:
- metadata
- type
type: object
type: array
required:
- scaleTargetRef
- triggers
type: object
status:
description: ScaledObjectStatus is the status for a ScaledObject resource
properties:
conditions:
description: Conditions an array representation to store multiple
Conditions
items:
description: Condition to store the condition state
properties:
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition
type: string
required:
- status
- type
type: object
type: array
externalMetricNames:
items:
type: string
type: array
health:
additionalProperties:
description: HealthStatus is the status for a ScaledObject's health
properties:
numberOfFailures:
format: int32
type: integer
status:
description: HealthStatusType is an indication of whether the
health status is happy or failing
type: string
type: object
type: object
hpaName:
type: string
lastActiveTime:
format: date-time
type: string
originalReplicaCount:
format: int32
type: integer
pausedReplicaCount:
format: int32
type: integer
resourceMetricNames:
items:
type: string
type: array
scaleTargetGVKR:
description: GroupVersionKindResource provides unified structure for
schema.GroupVersionKind and Resource
properties:
group:
type: string
kind:
type: string
resource:
type: string
version:
type: string
required:
- group
- kind
- resource
- version
type: object
scaleTargetKind:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: keda-operator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-operator
namespace: keda
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: keda-external-metrics-reader
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-external-metrics-reader
rules:
- apiGroups:
- external.metrics.k8s.io
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: keda-operator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-operator
rules:
- apiGroups:
- ""
resources:
- configmaps
- configmaps/status
- events
verbs:
- '*'
- apiGroups:
- ""
resources:
- external
- pods
- secrets
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- list
- watch
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- apiGroups:
- '*'
resources:
- '*/scale'
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- batch
resources:
- jobs
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- keda.sh
resources:
- clustertriggerauthentications
- clustertriggerauthentications/status
verbs:
- '*'
- apiGroups:
- keda.sh
resources:
- scaledjobs
- scaledjobs/finalizers
- scaledjobs/status
verbs:
- '*'
- apiGroups:
- keda.sh
resources:
- scaledobjects
- scaledobjects/finalizers
- scaledobjects/status
verbs:
- '*'
- apiGroups:
- keda.sh
resources:
- triggerauthentications
- triggerauthentications/status
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-auth-reader
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: keda-operator
namespace: keda
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-hpa-controller-external-metrics
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-hpa-controller-external-metrics
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: keda-external-metrics-reader
subjects:
- kind: ServiceAccount
name: horizontal-pod-autoscaler
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-operator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: keda-operator
subjects:
- kind: ServiceAccount
name: keda-operator
namespace: keda
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-system-auth-delegator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-system-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: keda-operator
namespace: keda
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: keda-metrics-apiserver
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-metrics-apiserver
namespace: keda
spec:
ports:
- name: https
port: 443
targetPort: 6443
- name: http
port: 80
targetPort: 8080
selector:
app: keda-metrics-apiserver
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: keda-metrics-apiserver
app.kubernetes.io/name: keda-metrics-apiserver
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-metrics-apiserver
namespace: keda
spec:
replicas: 1
selector:
matchLabels:
app: keda-metrics-apiserver
template:
metadata:
labels:
app: keda-metrics-apiserver
name: keda-metrics-apiserver
spec:
containers:
- args:
- /usr/local/bin/keda-adapter
- --secure-port=6443
- --logtostderr=true
- --v=0
env:
- name: WATCH_NAMESPACE
value: ""
- name: KEDA_HTTP_DEFAULT_TIMEOUT
value: ""
image: ghcr.io/kedacore/keda-metrics-apiserver:2.8.0
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 5
name: keda-metrics-apiserver
ports:
- containerPort: 6443
name: https
- containerPort: 8080
name: http
readinessProbe:
httpGet:
path: /readyz
port: 6443
scheme: HTTPS
initialDelaySeconds: 5
resources:
limits:
cpu: 1000m
memory: 1000Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /tmp
name: temp-vol
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: keda-operator
volumes:
- emptyDir: {}
name: temp-vol
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: keda-operator
app.kubernetes.io/component: operator
app.kubernetes.io/name: keda-operator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-operator
namespace: keda
spec:
replicas: 1
selector:
matchLabels:
app: keda-operator
template:
metadata:
labels:
app: keda-operator
name: keda-operator
name: keda-operator
spec:
containers:
- args:
- --leader-elect
- --zap-log-level=info
- --zap-encoder=console
- --zap-time-encoding=rfc3339
command:
- /keda
env:
- name: WATCH_NAMESPACE
value: ""
- name: KEDA_HTTP_DEFAULT_TIMEOUT
value: ""
image: ghcr.io/kedacore/keda:2.8.0
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 25
name: keda-operator
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 20
resources:
limits:
cpu: 1000m
memory: 1000Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: keda-operator
terminationGracePeriodSeconds: 10
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app.kubernetes.io/name: v1beta1.external.metrics.k8s.io
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: v1beta1.external.metrics.k8s.io
spec:
group: external.metrics.k8s.io
groupPriorityMinimum: 100
insecureSkipTLSVerify: true
service:
name: keda-metrics-apiserver
namespace: keda
version: v1beta1
versionPriority: 100

10
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy-ready.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: external-metrics-policy-default
namespace: default
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

31
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: external-metrics-policy-default
namespace: default
spec:
validationFailureAction: Enforce
background: false
rules:
- name: external-metrics-rule-default
match:
all:
- clusterRoles:
- evil-cr
resources:
kinds:
- Secret
validate:
message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.'
deny:
conditions:
any:
- key: '{{request.operation}}'
operator: Equals
value: DELETE
- key: '{{request.operation}}'
operator: Equals
value: UPDATE
- key: '{{request.operation}}'
operator: Equals
value: CREATE

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: external-metrics-policy
spec:
validationFailureAction: Enforce
background: false
rules:
- name: external-metrics-rule
@ -15,6 +14,7 @@ spec:
kinds:
- Secret
validate:
validationFailureAction: Enforce
message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.'
deny:
conditions:

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml
View file

@ -4,7 +4,6 @@ metadata:
name: external-metrics-policy-default
namespace: default
spec:
validationFailureAction: Enforce
background: false
rules:
- name: external-metrics-rule-default
@ -16,6 +15,7 @@ spec:
kinds:
- Secret
validate:
validationFailureAction: Enforce
message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.'
deny:
conditions:

7
test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/README.md Normal file
View file

@ -0,0 +1,7 @@
## Description
This test ensures that invalid jmespath in variables cause error and not panic.
## Expected Behavior
The pod should be blocked

30
test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: variable-substitution-failure-messages
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- script:
content: kubectl apply -f pod.yaml
check:
($error != null): true
# This check ensures the contents of stderr are exactly as shown.
($stderr): |-
Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Pod/default/test was blocked due to the following policies
test-panic:
test-panic: 'failed to check deny conditions: failed to substitute variables in
condition key: failed to resolve image at path : jmespath value must be a string
image {{ request.object.spec.[containers,initContainers, ephemeralContainers][].image[]
}}: <nil>'

14
test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/pod.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
spec:
containers:
- image: nginx
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always

9
test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-panic
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

26
test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-panic
spec:
validationFailureAction: Enforce
background: true
rules:
- name: test-panic
match:
any:
- resources:
kinds:
- Pod
context:
- name: image
variable:
jmesPath: '{{ request.object.spec.[containers,initContainers, ephemeralContainers][].image[] }}'
validate:
deny:
conditions:
all:
- key: "{{ image }}"
operator: AnyNotIn
value:
- "ghcr.io/kyverno/test-verify-image:signed"

4
test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/policy.yaml
View file

@ -2,8 +2,7 @@ apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test-panic
spec:
validationFailureAction: Enforce
spec:
background: true
rules:
- name: test-panic
@ -17,6 +16,7 @@ spec:
variable:
jmesPath: '{{ request.object.spec.[containers,initContainers, ephemeralContainers][].image[] }}'
validate:
validationFailureAction: Enforce
deny:
conditions:
all:

11
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test ensures that when the policy uses a pattern with conditional anchor, the creation of some resources should be failed instead of skipped.
## Expected Behavior
Resource failed to be created due to validate failure.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/8731

24
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: validate-pattern-should-fail
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- apply:
expect:
- check:
($error != null): true
file: resource.yaml
- name: step-03
try:
- assert:
file: event-assert.yaml

10
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/event-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Event
metadata:
namespace: default
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: priv
reason: PolicyViolation
reportingComponent: kyverno-admission

10
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: priv
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

31
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: priv
spec:
validationFailureAction: Enforce
background: true
rules:
- name: priv-esc
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Lorem ipse
pattern:
spec:
=(ephemeralContainers):
- (image): "!*/foo:*.*.*"
securityContext:
allowPrivilegeEscalation: "false"
=(initContainers):
- (image): "!*/foo:*.*.*"
securityContext:
allowPrivilegeEscalation: "false"
=(containers):
- (image): "!*/foo:*.*.*"
securityContext:
allowPrivilegeEscalation: "false"

15
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/resource.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: test-pod
labels:
app: test-app
spec:
containers:
- name: side
image: test/foo:1.2.3
initContainers:
- name: init
image: test/bar:1.2.3
securityContext:
allowPrivilegeEscalation: true

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail/policy.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: priv
spec:
validationFailureAction: Enforce
background: true
rules:
- name: priv-esc
@ -13,6 +12,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
message: >-
Lorem ipse
pattern:

11
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test ensures that when the policy uses a pattern with conditional anchor, the creation of some resources should be passes instead of skipped.
## Expected Behavior
The creation of resource should be passes instead of skipped.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/8731

25
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: validate-pattern-should-pass
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- apply:
file: resource.yaml
- name: step-03
try:
- assert:
file: event-assert.yaml
- name: step-04
try:
- assert:
file: report-pass-assert.yaml

12
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/event-assert.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Event
metadata:
namespace: default
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: priv
type: Normal
reason: PolicyApplied
action: Resource Passed
reportingComponent: kyverno-admission

10
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: priv
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

31
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: priv
spec:
validationFailureAction: Enforce
background: true
rules:
- name: priv-esc
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Lorem ipse
pattern:
spec:
=(ephemeralContainers):
- (image): "!*/foo:*.*.*"
securityContext:
allowPrivilegeEscalation: "false"
=(initContainers):
- (image): "!*/foo:*.*.*"
securityContext:
allowPrivilegeEscalation: "false"
=(containers):
- (image): "!*/foo:*.*.*"
securityContext:
allowPrivilegeEscalation: "false"

23
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/report-pass-assert.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
ownerReferences:
- apiVersion: v1
kind: Pod
name: test-pod
scope:
apiVersion: v1
kind: Pod
name: test-pod
results:
- message: validation rule 'priv-esc' passed.
policy: priv
result: pass
rule: priv-esc
source: kyverno
summary:
error: 0
fail: 0
pass: 1
skip: 0
warn: 0

19
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/resource.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: test-pod
labels:
app: test-app
spec:
containers:
- name: main
image: test/bar:1.2.3
securityContext:
allowPrivilegeEscalation: false
- name: side
image: test/foo:1.2.3
initContainers:
- name: init
image: test/foo:1.2.3
securityContext:
allowPrivilegeEscalation: true

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass/policy.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: priv
spec:
validationFailureAction: Enforce
background: true
rules:
- name: priv-esc
@ -13,6 +12,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
message: >-
Lorem ipse
pattern:

11
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test ensures that when the policy uses a pattern with conditional anchor, the creation of some resources should be skipped.
## Expected Behavior
The creation of resource should be skipped.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/8731

21
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: validate-pattern-should-skip
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- apply:
file: resource.yaml
- name: step-03
try:
- assert:
file: report-skip-assert.yaml

10
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: priv
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

27
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: priv
spec:
validationFailureAction: Enforce
background: true
rules:
- name: priv-esc
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Lorem ipse
pattern:
spec:
=(initContainers):
- (image): "!*/foo:*.*.*"
securityContext:
allowPrivilegeEscalation: "false"
=(containers):
- (image): "!*/foo:*.*.*"
securityContext:
allowPrivilegeEscalation: "false"

23
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/report-skip-assert.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
ownerReferences:
- apiVersion: v1
kind: Pod
name: test-pod
scope:
apiVersion: v1
kind: Pod
name: test-pod
results:
- message: 'conditional anchor mismatch: resource value ''test/foo:1.2.3'' does not match ''!*/foo:*.*.*'' at path /spec/containers/0/image/; conditional anchor mismatch: resource value ''test/foo:1.2.3'' does not match ''!*/foo:*.*.*'' at path /spec/containers/1/image/; conditional anchor mismatch: resource value ''test/foo:1.2.3'' does not match ''!*/foo:*.*.*'' at path /spec/initContainers/0/image/'
policy: priv
result: skip
rule: priv-esc
source: kyverno
summary:
error: 0
fail: 0
pass: 0
skip: 1
warn: 0

19
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/resource.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: test-pod
labels:
app: test-app
spec:
containers:
- name: main
image: test/foo:1.2.3
securityContext:
allowPrivilegeEscalation: false
- name: side
image: test/foo:1.2.3
initContainers:
- name: init
image: test/foo:1.2.3
securityContext:
allowPrivilegeEscalation: true

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip/policy.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: priv
spec:
validationFailureAction: Enforce
background: true
rules:
- name: priv-esc
@ -13,6 +12,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
message: >-
Lorem ipse
pattern:

11
test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test ensures that variables are substituted correctly in the validation messages for `anyPattern`.
## Expected Behavior
The variable `allowedUIDs` will be successfully substituted by `9999 | 4000` in the validation message.
## Reference Issue(s)
#8095

33
test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: variable-substitution-failure-messages
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- script:
content: kubectl apply -f pod.yaml
check:
($error != null): true
# This check ensures the contents of stderr are exactly as shown.
($stderr): |-
Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Pod/default/ba was blocked due to the following policies
uid-groups-fsgroup-validate:
check-runasuser: 'validation error: Running with specific user IDs 9999 | 4000.
The fields spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
spec.initContainers[*].securityContext.runAsGroup, and spec.ephemeralContainers[*].securityContext.runAsGroup
must be set to one of the 9999 | 4000 values. rule check-runasuser[0] failed at
path /spec/containers/0/securityContext/runAsUser/ rule check-runasuser[1] failed
at path /spec/containers/0/securityContext/runAsUser/'

14
test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/pod.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: ba
labels:
app: nginx-users
spec:
securityContext:
runAsUser: 115
containers:
- name: notnginx
image: nothingherenginx
securityContext:
runAsUser: 250

9
test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: uid-groups-fsgroup-validate
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

48
test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,48 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: uid-groups-fsgroup-validate
spec:
validationFailureAction: enforce
background: true
rules:
- name: check-runasuser
context:
- name: allowedUIDs
variable:
value: "9999 | 4000"
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Running with specific user IDs {{ allowedUIDs }}. The fields
spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
spec.initContainers[*].securityContext.runAsGroup, and
spec.ephemeralContainers[*].securityContext.runAsGroup must be
set to one of the {{ allowedUIDs }} values.
anyPattern:
- spec:
securityContext:
runAsUser: "{{ allowedUIDs }}"
=(ephemeralContainers):
- =(securityContext):
=(runAsUser): "{{ allowedUIDs }}"
=(initContainers):
- =(securityContext):
=(runAsUser): "{{ allowedUIDs }}"
containers:
- =(securityContext):
=(runAsUser): "{{ allowedUIDs }}"
- spec:
=(ephemeralContainers):
- securityContext:
runAsUser: "{{ allowedUIDs }}"
=(initContainers):
- securityContext:
runAsUser: "{{ allowedUIDs }}"
containers:
- securityContext:
runAsUser: "{{ allowedUIDs }}"

2
test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: uid-groups-fsgroup-validate
spec:
validationFailureAction: enforce
background: true
rules:
- name: check-runasuser
@ -17,6 +16,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
message: >-
Running with specific user IDs {{ allowedUIDs }}. The fields
spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,

21
test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/README.md Normal file
View file

@ -0,0 +1,21 @@
## Description
This test validates that an existing ConfigMap can't be updated with a new key that results in violation of a policy.
## Expected Behavior
The existing ConfigMap isn't patched and policy violation is reported.
## Steps
### Test Steps
1. Create a `Policy` that denies only permits combination of two particular keys together.
2. Create a `ConfigMap` that contains one of the keys.
3. Try to patch the `ConfigMap` with a new key that is not permitted by the policy.
4. Verify that the `ConfigMap` is not patched and policy violation is reported.
5. Delete the `Policy` and `ConfigMap`.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/3253

4
test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-1.yaml Executable file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-validate-e2e-adding-key-to-config-map

26
test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-2.yaml Executable file
View file

@ -0,0 +1,26 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: configmap-policy
namespace: test-validate-e2e-adding-key-to-config-map
spec:
background: false
failurePolicy: Fail
rules:
- match:
all:
- resources:
kinds:
- ConfigMap
name: key-abc
preconditions:
all:
- key: admin
operator: Equals
value: '{{ request.object.data.lock || '''' }}'
validate:
anyPattern:
- data:
key: abc
message: Configmap key must be "abc"
validationFailureAction: Enforce

7
test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-3.yaml Executable file
View file

@ -0,0 +1,7 @@
apiVersion: v1
data:
key: xyz
kind: ConfigMap
metadata:
name: test-configmap
namespace: test-validate-e2e-adding-key-to-config-map

10
test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-assert-1-1.yaml Executable file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: configmap-policy
namespace: test-validate-e2e-adding-key-to-config-map
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

26
test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,26 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: adding-key-to-config-map
spec:
steps:
- name: step-01
try:
- apply:
file: chainsaw-step-01-apply-1-1.yaml
- apply:
file: chainsaw-step-01-apply-1-2.yaml
- apply:
file: chainsaw-step-01-apply-1-3.yaml
- assert:
file: chainsaw-step-01-assert-1-1.yaml
- name: step-02
try:
- script:
content: "if kubectl patch ConfigMap test-configmap -n test-validate-e2e-adding-key-to-config-map
--type='json' -p=\"[{\\\"op\\\": \\\"add\\\", \\\"path\\\": \\\"/data/lock\\\",
\\\"value\\\":\"\"admin\"\"}]\" 2>&1 | grep -q 'validation error: Configmap
key must be \"abc\"' \nthen \n echo \"Test succeeded. Resource was blocked
from adding key.\"\n exit 0\nelse \n echo \"Tested failed. Resource was
not blocked from adding key.\"\n exit 1 \nfi\n"

5
test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/chainsaw-step-01-apply-1-2.yaml
View file

@ -5,7 +5,6 @@ metadata:
namespace: test-validate-e2e-adding-key-to-config-map
spec:
background: false
failurePolicy: Fail
rules:
- match:
all:
@ -19,8 +18,10 @@ spec:
operator: Equals
value: '{{ request.object.data.lock || '''' }}'
validate:
validationFailureAction: Enforce
anyPattern:
- data:
key: abc
message: Configmap key must be "abc"
validationFailureAction: Enforce
webhookConfiguration:
failurePolicy: Fail

11
test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a migrated test from e2e. The global anchor is being checked for basic functionality here.
## Expected Behavior
If a container uses an image named `someimagename` then the `imagePullSecret` must be set to `my-registry-secret`. The test passes if this combination is found. If an image named `someimagename` uses some other imagePullSecret, the test fails.
## Reference Issue(s)
2390

11
test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/bad.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-nginx-disallowed-registry
namespace: default
spec:
containers:
- name: nginx
image: someimagename
imagePullSecrets:
- name: other-registory-secret

11
test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-step-02-apply-1-1.yaml Executable file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-nginx-allowed-registry
namespace: default
spec:
containers:
- image: someimagename
name: nginx
imagePullSecrets:
- name: my-registry-secret

24
test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,24 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: global-anchor
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-ready.yaml
- name: step-02
try:
- apply:
file: chainsaw-step-02-apply-1-1.yaml
- name: step-03
try:
- apply:
expect:
- check:
($error != null): true
file: bad.yaml

9
test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy-ready.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

21
test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: Enforce
rules:
- name: check-container-image
match:
any:
- resources:
kinds:
- Pod
validate:
pattern:
spec:
containers:
- name: "*"
<(image): "someimagename"
imagePullSecrets:
- name: my-registry-secret

2
test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml
View file

@ -3,7 +3,6 @@ kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: Enforce
rules:
- name: check-container-image
match:
@ -12,6 +11,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
pattern:
spec:
containers:

11
test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test validates that CRD with lowercase kind is supported.
## Expected Behavior
A resource with kind `postgresql` should have the label `app=foo`.
## Reference Issue(s)
5989

4
test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-1.yaml Executable file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-validate

19
test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-2.yaml Executable file
View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test
spec:
rules:
- match:
any:
- resources:
kinds:
- acid.zalan.do/v1/postgresql
name: test-rule
validate:
message: The label app=foo is required
pattern:
metadata:
labels:
app: foo
validationFailureAction: Enforce

9
test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-1.yaml Executable file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

Some files were not shown because too many files have changed in this diff Show more