diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/chainsaw-test.yaml new file mode 100644 index 0000000000..de310d315b --- /dev/null +++ b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/chainsaw-test.yaml @@ -0,0 +1,39 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: conditional-anchor +spec: + steps: + - name: apply-namespace + try: + - apply: + file: namespace.yaml + - name: apply-policy + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: apply-labelled-resource + try: + - apply: + file: labelled-resource.yaml + - name: apply-unlabelled-resource + try: + - apply: + file: unlabelled-resource.yaml + - name: apply-scaling + try: + - script: + content: + "if kubectl -n test-anchors scale deployment labelled-deployment --replicas 2\nthen + \n exit 0\nelse \n exit 1\nfi\n" + - script: + content: + "if kubectl -n test-anchors scale deployment labelled-deployment --replicas 9\nthen + \n exit 1\nelse \n exit 0\nfi\n" + - script: + content: + "if kubectl -n test-anchors scale deployment unlabelled-deployment --replicas 9\nthen + \n exit 0\nelse \n exit 1\nfi\n" diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/labelled-resource.yaml b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/labelled-resource.yaml new file mode 100644 index 0000000000..602bdf344c --- /dev/null +++ b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/labelled-resource.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + type: monitoring + name: labelled-deployment + namespace: test-anchors +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + type: monitoring + strategy: {} + template: + metadata: + labels: + app: busybox + type: monitoring + spec: + containers: + - name: busybox + image: busybox:1.35 diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/namespace.yaml b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/namespace.yaml new file mode 100644 index 0000000000..ad88c5119c --- /dev/null +++ b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-anchors diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..07ccd2afd8 --- /dev/null +++ b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-scale +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy.yaml new file mode 100644 index 0000000000..b5eb35a807 --- /dev/null +++ b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: restrict-scale + annotations: + policies.kyverno.io/title: Restrict Scale + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Deployment + policies.kyverno.io/description: >- + Pod controllers such as Deployments which implement replicas and permit the scale action + use a `/scale` subresource to control this behavior. In addition to checks for creations of + such controllers that their replica is in a certain shape, the scale operation and subresource + needs to be accounted for as well. This policy, operable beginning in Kyverno 1.9, is a collection + of rules which can be used to limit the replica count both upon creation of a Deployment and + when a scale operation is performed. +spec: + validationFailureAction: Enforce + background: false + rules: + # This rule can be used to limit scale operations based upon Deployment labels assuming the given label + # is also used as a selector. + - name: scale-max-eight + match: + any: + - resources: + kinds: + - Deployment/scale + validate: + message: The replica count for this Deployment may not exceed 8. + pattern: + (status): + (selector): "*type=monitoring*" + spec: + replicas: <9 diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/unlabelled-resource.yaml b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/unlabelled-resource.yaml new file mode 100644 index 0000000000..5dd0adfc81 --- /dev/null +++ b/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/unlabelled-resource.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: unlabelled-deployment + namespace: test-anchors +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 diff --git a/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml b/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml index b5eb35a807..27d50937e6 100644 --- a/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml +++ b/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml @@ -18,7 +18,6 @@ metadata: of rules which can be used to limit the replica count both upon creation of a Deployment and when a scale operation is performed. spec: - validationFailureAction: Enforce background: false rules: # This rule can be used to limit scale operations based upon Deployment labels assuming the given label @@ -30,6 +29,7 @@ spec: kinds: - Deployment/scale validate: + validationFailureAction: Enforce message: The replica count for this Deployment may not exceed 8. pattern: (status): diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/README.md new file mode 100644 index 0000000000..2492fd9c67 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures the policy is applied on the resource to be deleted (deletionTimestamp is set). + +## Expected Behavior + +With a bogus finalizer added to the service, the resource deletion is blocked as no controller serves behind to perform deletion. During this time, when one tries to patch the service that violates the policy, the patch request should be blocked. While if the patch doesn't result in an violation it should be allowed. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-step-05-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-step-05-apply-1-1.yaml new file mode 100755 index 0000000000..59c522817e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-step-05-apply-1-1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + name: podinfo + namespace: apply-on-deletion-ns + name: podinfo + namespace: apply-on-deletion-ns +spec: + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: http + port: 9898 + protocol: TCP + targetPort: http + - name: grpc + port: 9999 + protocol: TCP + targetPort: grpc + selector: + app: podinfo + sessionAffinity: None + type: ClusterIP diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..a4e9759542 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-test.yaml @@ -0,0 +1,43 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: apply-on-deletion +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - apply: + file: service.yaml + - assert: + file: service.yaml + - name: step-03 + try: + - script: + content: | + kubectl patch service podinfo -p '{"metadata":{"finalizers":["bburky.com/hax"]}}' -n apply-on-deletion-ns + kubectl delete service podinfo --wait=false -n apply-on-deletion-ns + - name: step-04 + try: + - script: + content: "if kubectl patch service podinfo -p '{\"spec\":{\"type\":\"NodePort\",\"ports\":[{\"port\":9898,\"nodePort\":32000}]}}' + -n apply-on-deletion-ns\nthen \n echo \"Tested failed. The service type + cannot be changed to NodePort\"\n exit 1 \nelse \n echo \"Test succeeded. + The service update is blocked\"\n exit 0\nfi\n" + - name: step-05 + try: + - apply: + file: chainsaw-step-05-apply-1-1.yaml + - name: step-06 + try: + - script: + content: | + kubectl patch service podinfo -p '{"metadata":{"finalizers":null}}' -n apply-on-deletion-ns diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/ns.yaml new file mode 100644 index 0000000000..d749e1367a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: apply-on-deletion-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..e652590157 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-apply-on-deletion +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy.yaml new file mode 100644 index 0000000000..daeb1b478d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-apply-on-deletion +spec: + validationFailureAction: Enforce + background: true + rules: + - name: validate-nodeport + match: + any: + - resources: + kinds: + - Service + validate: + message: "Services of type NodePort are not allowed." + pattern: + spec: + =(type): "!NodePort" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/service.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/service.yaml new file mode 100644 index 0000000000..7ccc93bf48 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: podinfo + namespace: apply-on-deletion-ns +spec: + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: http + port: 9898 + protocol: TCP + targetPort: http + - name: grpc + port: 9999 + protocol: TCP + targetPort: grpc + selector: + app: podinfo + sessionAffinity: None + type: ClusterIP \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml index daeb1b478d..ca8d190fe5 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-apply-on-deletion spec: - validationFailureAction: Enforce background: true rules: - name: validate-nodeport @@ -13,6 +12,7 @@ spec: kinds: - Service validate: + validationFailureAction: Enforce message: "Services of type NodePort are not allowed." pattern: spec: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/README.md new file mode 100644 index 0000000000..3e2d1d96f8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a policy that uses CEL expressions to disallow host ports in pods. + +## Expected Behavior + +The pod `pod-fail` is blocked, and a message is displayed indicating the reason of failure. + +## Reference Issue(s) + +8826 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..7d8438dd51 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/chainsaw-test.yaml @@ -0,0 +1,20 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cel-messages-upon-resource-failure +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - script: + content: kubectl apply -f pod-fail.yaml + check: + # This check below ensures that the string 'hostPort must either be unset or set to 0' is found in stderr or else fails + (contains($stderr, 'hostPort must either be unset or set to 0')): true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/pod-fail.yaml new file mode 100644 index 0000000000..7e2382340c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/pod-fail.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver-pod +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - hostPort: 80 + containerPort: 8080 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..44cefa2052 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-in-pods +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml new file mode 100644 index 0000000000..f0764c84b8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-in-pods + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port-pods + match: + any: + - resources: + kinds: + - Pod + validate: + message: "hostPort must either be unset or set to 0" + cel: + expressions: + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml index f0764c84b8..65f57e6bd0 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce background: false rules: - name: host-port-pods @@ -15,6 +14,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: "hostPort must either be unset or set to 0" cel: expressions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/README.md new file mode 100644 index 0000000000..d23c4e831b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that the policies that are skipped because of preconditions aren't included in admission requests denial responses + +## Expected Behavior + +The resource will be blocked because it violates the `require-ns-owner-label` policy. As a result, its message will only be displayed. + +## Reference Issue(s) + +#9502 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/chainsaw-test.yaml new file mode 100644 index 0000000000..c1b16a36e8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/chainsaw-test.yaml @@ -0,0 +1,35 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: check-message-upon-resource-failure +spec: + steps: + - name: step-01 + try: + - apply: + file: policy-1.yaml + - assert: + file: policy-assert1.yaml + - name: step-02 + try: + - apply: + file: policy-2.yaml + - assert: + file: policy-assert2.yaml + - name: step-03 + try: + - script: + content: kubectl apply -f resource.yaml + check: + # This check ensures the contents of stderr are exactly as shown. + ($stderr): |- + Error from server: error when creating "resource.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: + + resource Namespace//asdfhl was blocked due to the following policies + + require-ns-owner-label: + check-for-namespace-owner-label: 'validation error: The label `uw.systems/owner` + is required. Check policy at https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml + for allowed label values. rule check-for-namespace-owner-label failed at path + /metadata/labels/uw.systems/owner/' diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-1.yaml new file mode 100644 index 0000000000..6630214b36 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-1.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-ns-owner-label +spec: + validationFailureAction: Enforce + background: false + rules: + - name: check-for-namespace-owner-label + match: + any: + - resources: + kinds: + - Namespace + validate: + message: >- + The label `uw.systems/owner` is required. Check policy at + https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml + for allowed label values. + pattern: + metadata: + labels: + uw.systems/owner: >- + account-platform + |bill + |billing + |btg-operations + |btg-security + |cbc + |contact-channels + |crm + |customer + |customer-platform + |customer-support + |data + |data-infra + |dev-enablement + |digital-support + |energy + |iam + |insurance + |partner + |payment + |system + |telecom + |unicom diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-2.yaml new file mode 100644 index 0000000000..85e0f31416 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-2.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: preconditions-check +spec: + validationFailureAction: Enforce + background: false + rules: + - name: check-label + match: + any: + - resources: + kinds: + - Namespace + preconditions: + all: + - key: "{{ request.object.metadata.annotations.foo || '' }}" + operator: Equals + value: foo + validate: + message: >- + The label `uw.systems/owner` is required. Check policy at + https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml + for allowed label values. + pattern: + metadata: + labels: + uw.systems/foo: bar diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert1.yaml new file mode 100644 index 0000000000..7041619c19 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-ns-owner-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert2.yaml new file mode 100644 index 0000000000..84062db7e0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert2.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: preconditions-check +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/resource.yaml new file mode 100644 index 0000000000..3f9946118a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/resource.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: asdfhl + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml index 6630214b36..ac198d4243 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-ns-owner-label spec: - validationFailureAction: Enforce background: false rules: - name: check-for-namespace-owner-label @@ -13,6 +12,7 @@ spec: kinds: - Namespace validate: + validationFailureAction: Enforce message: >- The label `uw.systems/owner` is required. Check policy at https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml index 85e0f31416..0caea63b93 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: preconditions-check spec: - validationFailureAction: Enforce background: false rules: - name: check-label @@ -18,6 +17,7 @@ spec: operator: Equals value: foo validate: + validationFailureAction: Enforce message: >- The label `uw.systems/owner` is required. Check policy at https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/README.md new file mode 100644 index 0000000000..d02bb0f071 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that Kyverno is able to perform basic validation functions against ephemeral containers. + +## Expected Behavior + +The initial Pod should be successfully created. An ephemeral container, added via the `kubectl debug` imperative command, should be allowed because it does not violate the policy. If the ephemeral container is added, the test passes. If the debug is blocked, the test fails. + +## Reference Issue(s) + +6943 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-step-04-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-step-04-apply-1-1.yaml new file mode 100755 index 0000000000..dedefa814a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-step-04-apply-1-1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mypod + namespace: default +spec: + containers: + - image: bar.io/busybox:1.35 + name: busybox + ephemeralContainers: + - image: bar.io/busybox:1.35 + name: debugger diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..38fa3aa543 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-test.yaml @@ -0,0 +1,35 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: ephemeral-containers +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - assert: + file: resource-assert.yaml + - name: step-03 + try: + - command: + args: + - debug + - --image=bar.io/busybox:1.35 + - -c + - debugger + - mypod + - -n + - default + entrypoint: kubectl + - name: step-04 + try: + - apply: + file: chainsaw-step-04-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..3061a8121c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy.yaml new file mode 100644 index 0000000000..67490ae9b6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +spec: + validationFailureAction: Enforce + background: false + rules: + - name: validate-registries + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Unknown image registry." + pattern: + spec: + =(ephemeralContainers): + - image: "eu.foo.io/* | bar.io/*" + =(initContainers): + - image: "eu.foo.io/* | bar.io/*" + containers: + - image: "eu.foo.io/* | bar.io/*" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource-assert.yaml new file mode 100644 index 0000000000..4b0e629c95 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mypod + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource.yaml new file mode 100644 index 0000000000..b0bd67d92a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: busybox + name: mypod + namespace: default +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: bar.io/busybox:1.35 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml index 67490ae9b6..2f2baff0e2 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: restrict-image-registries spec: - validationFailureAction: Enforce background: false rules: - name: validate-registries @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: "Unknown image registry." pattern: spec: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/README.md new file mode 100644 index 0000000000..2a0054d0d0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/README.md @@ -0,0 +1,23 @@ +## Description + +Tests the ability to create both a ClusterPolicy and a Policy when there is an external API provider registered in the cluster but with no resources which fall under that group. + +## Expected Behavior + +Both ClusterPolicy and Policy should be successfully created. + +## Reference Issue(s) + +918 +942 +1324 +1325 +1490 +1830 +2126 +2162 +2267 +2684 +3244 +3788 +5221 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..fb1b4a5da0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: external-metrics +spec: + steps: + - name: step-00 + try: + - apply: + file: keda.yaml + - assert: + file: keda-ready.yaml + - name: step-01 + try: + - apply: + file: cluster-policy.yaml + - assert: + file: cluster-policy-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy-ready.yaml new file mode 100644 index 0000000000..5770a6453c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: external-metrics-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy.yaml new file mode 100644 index 0000000000..8a4bb5c351 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: external-metrics-policy +spec: + validationFailureAction: Enforce + background: false + rules: + - name: external-metrics-rule + match: + all: + - clusterRoles: + - evil-cr + resources: + kinds: + - Secret + validate: + message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.' + deny: + conditions: + any: + - key: '{{request.operation}}' + operator: Equals + value: DELETE + - key: '{{request.operation}}' + operator: Equals + value: UPDATE + - key: '{{request.operation}}' + operator: Equals + value: CREATE \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda-ready.yaml new file mode 100644 index 0000000000..059335ea54 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda-ready.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keda-metrics-apiserver + namespace: keda +status: + availableReplicas: 1 + readyReplicas: 1 + replicas: 1 +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: scaledobjects.keda.sh +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.external.metrics.k8s.io diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda.yaml new file mode 100644 index 0000000000..982f284573 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda.yaml @@ -0,0 +1,768 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/name: keda + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + labels: + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: scaledobjects.keda.sh +spec: + group: keda.sh + names: + kind: ScaledObject + listKind: ScaledObjectList + plural: scaledobjects + shortNames: + - so + singular: scaledobject + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.scaleTargetKind + name: ScaleTargetKind + type: string + - jsonPath: .spec.scaleTargetRef.name + name: ScaleTargetName + type: string + - jsonPath: .spec.minReplicaCount + name: Min + type: integer + - jsonPath: .spec.maxReplicaCount + name: Max + type: integer + - jsonPath: .spec.triggers[*].type + name: Triggers + type: string + - jsonPath: .spec.triggers[*].authenticationRef.name + name: Authentication + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Active")].status + name: Active + type: string + - jsonPath: .status.conditions[?(@.type=="Fallback")].status + name: Fallback + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ScaledObject is a specification for a ScaledObject resource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ScaledObjectSpec is the spec for a ScaledObject resource + properties: + advanced: + description: AdvancedConfig specifies advance scaling options + properties: + horizontalPodAutoscalerConfig: + description: HorizontalPodAutoscalerConfig specifies horizontal + scale config + properties: + behavior: + description: HorizontalPodAutoscalerBehavior configures the + scaling behavior of the target in both Up and Down directions + (scaleUp and scaleDown fields respectively). + properties: + scaleDown: + description: scaleDown is scaling policy for scaling Down. + If not set, the default value is to allow to scale down + to minReplicas pods, with a 300 second stabilization + window (i.e., the highest recommendation for the last + 300sec is used). + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and + less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of change + which is permitted by the policy. It must + be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default value + MaxPolicySelect is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the number + of seconds for which past recommendations should + be considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than + or equal to zero and less than or equal to 3600 + (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window + is 300 seconds long).' + format: int32 + type: integer + type: object + scaleUp: + description: 'scaleUp is scaling policy for scaling Up. + If not set, the default value is the higher of: * increase + no more than 4 pods per 60 seconds * double the number + of pods per 60 seconds No stabilization is used.' + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and + less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of change + which is permitted by the policy. It must + be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default value + MaxPolicySelect is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the number + of seconds for which past recommendations should + be considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than + or equal to zero and less than or equal to 3600 + (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window + is 300 seconds long).' + format: int32 + type: integer + type: object + type: object + name: + type: string + type: object + restoreToOriginalReplicaCount: + type: boolean + type: object + cooldownPeriod: + format: int32 + type: integer + fallback: + description: Fallback is the spec for fallback options + properties: + failureThreshold: + format: int32 + type: integer + replicas: + format: int32 + type: integer + required: + - failureThreshold + - replicas + type: object + idleReplicaCount: + format: int32 + type: integer + maxReplicaCount: + format: int32 + type: integer + minReplicaCount: + format: int32 + type: integer + pollingInterval: + format: int32 + type: integer + scaleTargetRef: + description: ScaleTarget holds the a reference to the scale target + Object + properties: + apiVersion: + type: string + envSourceContainerName: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + triggers: + items: + description: ScaleTriggers reference the scaler that will be used + properties: + authenticationRef: + description: ScaledObjectAuthRef points to the TriggerAuthentication + or ClusterTriggerAuthentication object that is used to authenticate + the scaler with the environment + properties: + kind: + description: Kind of the resource being referred to. Defaults + to TriggerAuthentication. + type: string + name: + type: string + required: + - name + type: object + metadata: + additionalProperties: + type: string + type: object + metricType: + description: MetricTargetType specifies the type of metric being + targeted, and should be either "Value", "AverageValue", or + "Utilization" + type: string + name: + type: string + type: + type: string + required: + - metadata + - type + type: object + type: array + required: + - scaleTargetRef + - triggers + type: object + status: + description: ScaledObjectStatus is the status for a ScaledObject resource + properties: + conditions: + description: Conditions an array representation to store multiple + Conditions + items: + description: Condition to store the condition state + properties: + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition + type: string + required: + - status + - type + type: object + type: array + externalMetricNames: + items: + type: string + type: array + health: + additionalProperties: + description: HealthStatus is the status for a ScaledObject's health + properties: + numberOfFailures: + format: int32 + type: integer + status: + description: HealthStatusType is an indication of whether the + health status is happy or failing + type: string + type: object + type: object + hpaName: + type: string + lastActiveTime: + format: date-time + type: string + originalReplicaCount: + format: int32 + type: integer + pausedReplicaCount: + format: int32 + type: integer + resourceMetricNames: + items: + type: string + type: array + scaleTargetGVKR: + description: GroupVersionKindResource provides unified structure for + schema.GroupVersionKind and Resource + properties: + group: + type: string + kind: + type: string + resource: + type: string + version: + type: string + required: + - group + - kind + - resource + - version + type: object + scaleTargetKind: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: keda-operator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-operator + namespace: keda +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: keda-external-metrics-reader + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-external-metrics-reader +rules: +- apiGroups: + - external.metrics.k8s.io + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: keda-operator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + - configmaps/status + - events + verbs: + - '*' +- apiGroups: + - "" + resources: + - external + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - list + - watch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get +- apiGroups: + - '*' + resources: + - '*/scale' + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - clustertriggerauthentications + - clustertriggerauthentications/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - scaledjobs + - scaledjobs/finalizers + - scaledjobs/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - scaledobjects + - scaledobjects/finalizers + - scaledobjects/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - triggerauthentications + - triggerauthentications/status + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: keda-auth-reader + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: keda-operator + namespace: keda +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: keda-hpa-controller-external-metrics + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-hpa-controller-external-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keda-external-metrics-reader +subjects: +- kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: keda-operator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keda-operator +subjects: +- kind: ServiceAccount + name: keda-operator + namespace: keda +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: keda-system-auth-delegator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-system-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: keda-operator + namespace: keda +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: keda-metrics-apiserver + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-metrics-apiserver + namespace: keda +spec: + ports: + - name: https + port: 443 + targetPort: 6443 + - name: http + port: 80 + targetPort: 8080 + selector: + app: keda-metrics-apiserver +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: keda-metrics-apiserver + app.kubernetes.io/name: keda-metrics-apiserver + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-metrics-apiserver + namespace: keda +spec: + replicas: 1 + selector: + matchLabels: + app: keda-metrics-apiserver + template: + metadata: + labels: + app: keda-metrics-apiserver + name: keda-metrics-apiserver + spec: + containers: + - args: + - /usr/local/bin/keda-adapter + - --secure-port=6443 + - --logtostderr=true + - --v=0 + env: + - name: WATCH_NAMESPACE + value: "" + - name: KEDA_HTTP_DEFAULT_TIMEOUT + value: "" + image: ghcr.io/kedacore/keda-metrics-apiserver:2.8.0 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 6443 + scheme: HTTPS + initialDelaySeconds: 5 + name: keda-metrics-apiserver + ports: + - containerPort: 6443 + name: https + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /readyz + port: 6443 + scheme: HTTPS + initialDelaySeconds: 5 + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /tmp + name: temp-vol + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + serviceAccountName: keda-operator + volumes: + - emptyDir: {} + name: temp-vol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: keda-operator + app.kubernetes.io/component: operator + app.kubernetes.io/name: keda-operator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-operator + namespace: keda +spec: + replicas: 1 + selector: + matchLabels: + app: keda-operator + template: + metadata: + labels: + app: keda-operator + name: keda-operator + name: keda-operator + spec: + containers: + - args: + - --leader-elect + - --zap-log-level=info + - --zap-encoder=console + - --zap-time-encoding=rfc3339 + command: + - /keda + env: + - name: WATCH_NAMESPACE + value: "" + - name: KEDA_HTTP_DEFAULT_TIMEOUT + value: "" + image: ghcr.io/kedacore/keda:2.8.0 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 25 + name: keda-operator + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 20 + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + serviceAccountName: keda-operator + terminationGracePeriodSeconds: 10 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app.kubernetes.io/name: v1beta1.external.metrics.k8s.io + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: v1beta1.external.metrics.k8s.io +spec: + group: external.metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: keda-metrics-apiserver + namespace: keda + version: v1beta1 + versionPriority: 100 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..a963ab024b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: external-metrics-policy-default + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy.yaml new file mode 100644 index 0000000000..ae4b0451e3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: external-metrics-policy-default + namespace: default +spec: + validationFailureAction: Enforce + background: false + rules: + - name: external-metrics-rule-default + match: + all: + - clusterRoles: + - evil-cr + resources: + kinds: + - Secret + validate: + message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.' + deny: + conditions: + any: + - key: '{{request.operation}}' + operator: Equals + value: DELETE + - key: '{{request.operation}}' + operator: Equals + value: UPDATE + - key: '{{request.operation}}' + operator: Equals + value: CREATE \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml index 8a4bb5c351..f795b627c9 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: external-metrics-policy spec: - validationFailureAction: Enforce background: false rules: - name: external-metrics-rule @@ -15,6 +14,7 @@ spec: kinds: - Secret validate: + validationFailureAction: Enforce message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.' deny: conditions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml index ae4b0451e3..e90823cda2 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml @@ -4,7 +4,6 @@ metadata: name: external-metrics-policy-default namespace: default spec: - validationFailureAction: Enforce background: false rules: - name: external-metrics-rule-default @@ -16,6 +15,7 @@ spec: kinds: - Secret validate: + validationFailureAction: Enforce message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.' deny: conditions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/README.md new file mode 100644 index 0000000000..04a140bda8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures that invalid jmespath in variables cause error and not panic. + +## Expected Behavior + +The pod should be blocked diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/chainsaw-test.yaml new file mode 100644 index 0000000000..f1f748bdef --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/chainsaw-test.yaml @@ -0,0 +1,30 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: variable-substitution-failure-messages +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - script: + content: kubectl apply -f pod.yaml + check: + ($error != null): true + # This check ensures the contents of stderr are exactly as shown. + ($stderr): |- + Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: + + resource Pod/default/test was blocked due to the following policies + + test-panic: + test-panic: 'failed to check deny conditions: failed to substitute variables in + condition key: failed to resolve image at path : jmespath value must be a string + image {{ request.object.spec.[containers,initContainers, ephemeralContainers][].image[] + }}: ' diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/pod.yaml new file mode 100644 index 0000000000..25a83916e6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + run: test + name: test +spec: + containers: + - image: nginx + name: test + resources: {} + dnsPolicy: ClusterFirst + restartPolicy: Always diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..84d72139a2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-panic +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy.yaml new file mode 100644 index 0000000000..eeb7aebf2c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-panic +spec: + validationFailureAction: Enforce + background: true + rules: + - name: test-panic + match: + any: + - resources: + kinds: + - Pod + context: + - name: image + variable: + jmesPath: '{{ request.object.spec.[containers,initContainers, ephemeralContainers][].image[] }}' + validate: + deny: + conditions: + all: + - key: "{{ image }}" + operator: AnyNotIn + value: + - "ghcr.io/kyverno/test-verify-image:signed" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/policy.yaml index eeb7aebf2c..65ebbdf52e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/policy.yaml @@ -2,8 +2,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: test-panic -spec: - validationFailureAction: Enforce +spec: background: true rules: - name: test-panic @@ -17,6 +16,7 @@ spec: variable: jmesPath: '{{ request.object.spec.[containers,initContainers, ephemeralContainers][].image[] }}' validate: + validationFailureAction: Enforce deny: conditions: all: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/README.md new file mode 100644 index 0000000000..4cae30b2d4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that when the policy uses a pattern with conditional anchor, the creation of some resources should be failed instead of skipped. + +## Expected Behavior + +Resource failed to be created due to validate failure. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/8731 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/chainsaw-test.yaml new file mode 100644 index 0000000000..c96cded9ad --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: validate-pattern-should-fail +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: resource.yaml + - name: step-03 + try: + - assert: + file: event-assert.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/event-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/event-assert.yaml new file mode 100644 index 0000000000..cf2d7e7e99 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/event-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: priv +reason: PolicyViolation +reportingComponent: kyverno-admission \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..a695a5250c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: priv +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy.yaml new file mode 100644 index 0000000000..62582deadc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: priv +spec: + validationFailureAction: Enforce + background: true + rules: + - name: priv-esc + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Lorem ipse + pattern: + spec: + =(ephemeralContainers): + - (image): "!*/foo:*.*.*" + securityContext: + allowPrivilegeEscalation: "false" + =(initContainers): + - (image): "!*/foo:*.*.*" + securityContext: + allowPrivilegeEscalation: "false" + =(containers): + - (image): "!*/foo:*.*.*" + securityContext: + allowPrivilegeEscalation: "false" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/resource.yaml new file mode 100644 index 0000000000..2817a65766 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/resource.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + app: test-app +spec: + containers: + - name: side + image: test/foo:1.2.3 + initContainers: + - name: init + image: test/bar:1.2.3 + securityContext: + allowPrivilegeEscalation: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail/policy.yaml index 62582deadc..8e251e8b1e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: priv spec: - validationFailureAction: Enforce background: true rules: - name: priv-esc @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: >- Lorem ipse pattern: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/README.md new file mode 100644 index 0000000000..29bdd37655 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that when the policy uses a pattern with conditional anchor, the creation of some resources should be passes instead of skipped. + +## Expected Behavior + +The creation of resource should be passes instead of skipped. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/8731 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/chainsaw-test.yaml new file mode 100644 index 0000000000..80aeadec71 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: validate-pattern-should-pass +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - assert: + file: event-assert.yaml + - name: step-04 + try: + - assert: + file: report-pass-assert.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/event-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/event-assert.yaml new file mode 100644 index 0000000000..8860cfcb62 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/event-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: priv +type: Normal +reason: PolicyApplied +action: Resource Passed +reportingComponent: kyverno-admission \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..a695a5250c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: priv +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy.yaml new file mode 100644 index 0000000000..62582deadc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: priv +spec: + validationFailureAction: Enforce + background: true + rules: + - name: priv-esc + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Lorem ipse + pattern: + spec: + =(ephemeralContainers): + - (image): "!*/foo:*.*.*" + securityContext: + allowPrivilegeEscalation: "false" + =(initContainers): + - (image): "!*/foo:*.*.*" + securityContext: + allowPrivilegeEscalation: "false" + =(containers): + - (image): "!*/foo:*.*.*" + securityContext: + allowPrivilegeEscalation: "false" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/report-pass-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/report-pass-assert.yaml new file mode 100644 index 0000000000..cc33a5566e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/report-pass-assert.yaml @@ -0,0 +1,23 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: test-pod +scope: + apiVersion: v1 + kind: Pod + name: test-pod +results: +- message: validation rule 'priv-esc' passed. + policy: priv + result: pass + rule: priv-esc + source: kyverno +summary: + error: 0 + fail: 0 + pass: 1 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/resource.yaml new file mode 100644 index 0000000000..91381030a4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/resource.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + app: test-app +spec: + containers: + - name: main + image: test/bar:1.2.3 + securityContext: + allowPrivilegeEscalation: false + - name: side + image: test/foo:1.2.3 + initContainers: + - name: init + image: test/foo:1.2.3 + securityContext: + allowPrivilegeEscalation: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass/policy.yaml index 62582deadc..8e251e8b1e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: priv spec: - validationFailureAction: Enforce background: true rules: - name: priv-esc @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: >- Lorem ipse pattern: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/README.md new file mode 100644 index 0000000000..3746ec186b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that when the policy uses a pattern with conditional anchor, the creation of some resources should be skipped. + +## Expected Behavior + +The creation of resource should be skipped. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/8731 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/chainsaw-test.yaml new file mode 100644 index 0000000000..35300d9953 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: validate-pattern-should-skip +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - assert: + file: report-skip-assert.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..a695a5250c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: priv +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy.yaml new file mode 100644 index 0000000000..8d58e00bdc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: priv +spec: + validationFailureAction: Enforce + background: true + rules: + - name: priv-esc + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Lorem ipse + pattern: + spec: + =(initContainers): + - (image): "!*/foo:*.*.*" + securityContext: + allowPrivilegeEscalation: "false" + =(containers): + - (image): "!*/foo:*.*.*" + securityContext: + allowPrivilegeEscalation: "false" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/report-skip-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/report-skip-assert.yaml new file mode 100644 index 0000000000..918a3809e8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/report-skip-assert.yaml @@ -0,0 +1,23 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: test-pod +scope: + apiVersion: v1 + kind: Pod + name: test-pod +results: +- message: 'conditional anchor mismatch: resource value ''test/foo:1.2.3'' does not match ''!*/foo:*.*.*'' at path /spec/containers/0/image/; conditional anchor mismatch: resource value ''test/foo:1.2.3'' does not match ''!*/foo:*.*.*'' at path /spec/containers/1/image/; conditional anchor mismatch: resource value ''test/foo:1.2.3'' does not match ''!*/foo:*.*.*'' at path /spec/initContainers/0/image/' + policy: priv + result: skip + rule: priv-esc + source: kyverno +summary: + error: 0 + fail: 0 + pass: 0 + skip: 1 + warn: 0 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/resource.yaml new file mode 100644 index 0000000000..4e02559819 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/resource.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + app: test-app +spec: + containers: + - name: main + image: test/foo:1.2.3 + securityContext: + allowPrivilegeEscalation: false + - name: side + image: test/foo:1.2.3 + initContainers: + - name: init + image: test/foo:1.2.3 + securityContext: + allowPrivilegeEscalation: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip/policy.yaml index 8d58e00bdc..a6fbacb925 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: priv spec: - validationFailureAction: Enforce background: true rules: - name: priv-esc @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: >- Lorem ipse pattern: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/README.md new file mode 100644 index 0000000000..85be009d4f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that variables are substituted correctly in the validation messages for `anyPattern`. + +## Expected Behavior + +The variable `allowedUIDs` will be successfully substituted by `9999 | 4000` in the validation message. + +## Reference Issue(s) + +#8095 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/chainsaw-test.yaml new file mode 100644 index 0000000000..0a99116d08 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/chainsaw-test.yaml @@ -0,0 +1,33 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: variable-substitution-failure-messages +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - script: + content: kubectl apply -f pod.yaml + check: + ($error != null): true + # This check ensures the contents of stderr are exactly as shown. + ($stderr): |- + Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: + + resource Pod/default/ba was blocked due to the following policies + + uid-groups-fsgroup-validate: + check-runasuser: 'validation error: Running with specific user IDs 9999 | 4000. + The fields spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, + spec.initContainers[*].securityContext.runAsGroup, and spec.ephemeralContainers[*].securityContext.runAsGroup + must be set to one of the 9999 | 4000 values. rule check-runasuser[0] failed at + path /spec/containers/0/securityContext/runAsUser/ rule check-runasuser[1] failed + at path /spec/containers/0/securityContext/runAsUser/' + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/pod.yaml new file mode 100644 index 0000000000..f7e036cd5c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: ba + labels: + app: nginx-users +spec: + securityContext: + runAsUser: 115 + containers: + - name: notnginx + image: nothingherenginx + securityContext: + runAsUser: 250 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..efa97035d5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: uid-groups-fsgroup-validate +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy.yaml new file mode 100644 index 0000000000..6cbfcd87cb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy.yaml @@ -0,0 +1,48 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: uid-groups-fsgroup-validate +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-runasuser + context: + - name: allowedUIDs + variable: + value: "9999 | 4000" + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running with specific user IDs {{ allowedUIDs }}. The fields + spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, + spec.initContainers[*].securityContext.runAsGroup, and + spec.ephemeralContainers[*].securityContext.runAsGroup must be + set to one of the {{ allowedUIDs }} values. + anyPattern: + - spec: + securityContext: + runAsUser: "{{ allowedUIDs }}" + =(ephemeralContainers): + - =(securityContext): + =(runAsUser): "{{ allowedUIDs }}" + =(initContainers): + - =(securityContext): + =(runAsUser): "{{ allowedUIDs }}" + containers: + - =(securityContext): + =(runAsUser): "{{ allowedUIDs }}" + - spec: + =(ephemeralContainers): + - securityContext: + runAsUser: "{{ allowedUIDs }}" + =(initContainers): + - securityContext: + runAsUser: "{{ allowedUIDs }}" + containers: + - securityContext: + runAsUser: "{{ allowedUIDs }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml index 6cbfcd87cb..2bc8060f91 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: uid-groups-fsgroup-validate spec: - validationFailureAction: enforce background: true rules: - name: check-runasuser @@ -17,6 +16,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: >- Running with specific user IDs {{ allowedUIDs }}. The fields spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/README.md new file mode 100644 index 0000000000..8fed6477c8 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/README.md @@ -0,0 +1,21 @@ +## Description + +This test validates that an existing ConfigMap can't be updated with a new key that results in violation of a policy. + +## Expected Behavior + +The existing ConfigMap isn't patched and policy violation is reported. + +## Steps + +### Test Steps + +1. Create a `Policy` that denies only permits combination of two particular keys together. +2. Create a `ConfigMap` that contains one of the keys. +3. Try to patch the `ConfigMap` with a new key that is not permitted by the policy. +4. Verify that the `ConfigMap` is not patched and policy violation is reported. +5. Delete the `Policy` and `ConfigMap`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3253 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..e9b9475008 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate-e2e-adding-key-to-config-map diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 0000000000..7b96ec0b9a --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: configmap-policy + namespace: test-validate-e2e-adding-key-to-config-map +spec: + background: false + failurePolicy: Fail + rules: + - match: + all: + - resources: + kinds: + - ConfigMap + name: key-abc + preconditions: + all: + - key: admin + operator: Equals + value: '{{ request.object.data.lock || '''' }}' + validate: + anyPattern: + - data: + key: abc + message: Configmap key must be "abc" + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 0000000000..a5050bc357 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + key: xyz +kind: ConfigMap +metadata: + name: test-configmap + namespace: test-validate-e2e-adding-key-to-config-map diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..eb21b4d4fb --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: configmap-policy + namespace: test-validate-e2e-adding-key-to-config-map +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..a105d286a8 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-test.yaml @@ -0,0 +1,26 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: adding-key-to-config-map +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - script: + content: "if kubectl patch ConfigMap test-configmap -n test-validate-e2e-adding-key-to-config-map + --type='json' -p=\"[{\\\"op\\\": \\\"add\\\", \\\"path\\\": \\\"/data/lock\\\", + \\\"value\\\":\"\"admin\"\"}]\" 2>&1 | grep -q 'validation error: Configmap + key must be \"abc\"' \nthen \n echo \"Test succeeded. Resource was blocked + from adding key.\"\n exit 0\nelse \n echo \"Tested failed. Resource was + not blocked from adding key.\"\n exit 1 \nfi\n" diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/chainsaw-step-01-apply-1-2.yaml index 7b96ec0b9a..cba9280e02 100755 --- a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/chainsaw-step-01-apply-1-2.yaml @@ -5,7 +5,6 @@ metadata: namespace: test-validate-e2e-adding-key-to-config-map spec: background: false - failurePolicy: Fail rules: - match: all: @@ -19,8 +18,10 @@ spec: operator: Equals value: '{{ request.object.data.lock || '''' }}' validate: + validationFailureAction: Enforce anyPattern: - data: key: abc message: Configmap key must be "abc" - validationFailureAction: Enforce + webhookConfiguration: + failurePolicy: Fail diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/README.md new file mode 100644 index 0000000000..f601a57c5b --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. The global anchor is being checked for basic functionality here. + +## Expected Behavior + +If a container uses an image named `someimagename` then the `imagePullSecret` must be set to `my-registry-secret`. The test passes if this combination is found. If an image named `someimagename` uses some other imagePullSecret, the test fails. + +## Reference Issue(s) + +2390 diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/bad.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/bad.yaml new file mode 100644 index 0000000000..14b674c61c --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/bad.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-nginx-disallowed-registry + namespace: default +spec: + containers: + - name: nginx + image: someimagename + imagePullSecrets: + - name: other-registory-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 0000000000..0eeac8625a --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-nginx-allowed-registry + namespace: default +spec: + containers: + - image: someimagename + name: nginx + imagePullSecrets: + - name: my-registry-secret diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..184c80a98d --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: global-anchor +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad.yaml diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..5f42e456d2 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sample +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy.yaml new file mode 100644 index 0000000000..bc1b7b1b6c --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sample +spec: + validationFailureAction: Enforce + rules: + - name: check-container-image + match: + any: + - resources: + kinds: + - Pod + validate: + pattern: + spec: + containers: + - name: "*" + <(image): "someimagename" + imagePullSecrets: + - name: my-registry-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml index bc1b7b1b6c..fc228e7f02 100644 --- a/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: sample spec: - validationFailureAction: Enforce rules: - name: check-container-image match: @@ -12,6 +11,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce pattern: spec: containers: diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/README.md new file mode 100644 index 0000000000..184a2a0053 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test validates that CRD with lowercase kind is supported. + +## Expected Behavior + +A resource with kind `postgresql` should have the label `app=foo`. + +## Reference Issue(s) + +5989 diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..ddccd1ac34 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 0000000000..feafcffd9a --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +spec: + rules: + - match: + any: + - resources: + kinds: + - acid.zalan.do/v1/postgresql + name: test-rule + validate: + message: The label app=foo is required + pattern: + metadata: + labels: + app: foo + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..5ede705d48 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-2.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-2.yaml new file mode 100755 index 0000000000..ddccd1ac34 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-2.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..40bbf38655 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-test.yaml @@ -0,0 +1,30 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: lowercase-kind-crd +spec: + steps: + - name: step-00 + try: + - apply: + file: postgresqls.yaml + - assert: + file: postgresqls-ready.yaml + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-2.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls-ready.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls-ready.yaml new file mode 100644 index 0000000000..618d1b081d --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls-ready.yaml @@ -0,0 +1,27 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: postgresqls.acid.zalan.do + labels: + app.kubernetes.io/name: postgres-operator +status: + acceptedNames: + categories: + - all + kind: postgresql + listKind: postgresqlList + plural: postgresqls + shortNames: + - pg + singular: postgresql + conditions: + - message: no conflicts found + reason: NoConflicts + status: "True" + type: NamesAccepted + - message: the initial names have been accepted + reason: InitialNamesAccepted + status: "True" + type: Established + storedVersions: + - v1 diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls.yaml new file mode 100644 index 0000000000..e6b570a23f --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls.yaml @@ -0,0 +1,656 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: postgresqls.acid.zalan.do + labels: + app.kubernetes.io/name: postgres-operator +spec: + group: acid.zalan.do + names: + kind: postgresql + listKind: postgresqlList + plural: postgresqls + singular: postgresql + shortNames: + - pg + categories: + - all + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Team + type: string + description: Team responsible for Postgres cluster + jsonPath: .spec.teamId + - name: Version + type: string + description: PostgreSQL version + jsonPath: .spec.postgresql.version + - name: Pods + type: integer + description: Number of Pods per Postgres cluster + jsonPath: .spec.numberOfInstances + - name: Volume + type: string + description: Size of the bound volume + jsonPath: .spec.volume.size + - name: CPU-Request + type: string + description: Requested CPU for Postgres containers + jsonPath: .spec.resources.requests.cpu + - name: Memory-Request + type: string + description: Requested memory for Postgres containers + jsonPath: .spec.resources.requests.memory + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + - name: Status + type: string + description: Current sync status of postgresql resource + jsonPath: .status.PostgresClusterStatus + schema: + openAPIV3Schema: + type: object + required: + - kind + - apiVersion + - spec + properties: + kind: + type: string + enum: + - postgresql + apiVersion: + type: string + enum: + - acid.zalan.do/v1 + spec: + type: object + required: + - numberOfInstances + - teamId + - postgresql + - volume + properties: + additionalVolumes: + type: array + items: + type: object + required: + - name + - mountPath + - volumeSource + properties: + name: + type: string + mountPath: + type: string + targetContainers: + type: array + nullable: true + items: + type: string + volumeSource: + type: object + x-kubernetes-preserve-unknown-fields: true + subPath: + type: string + allowedSourceRanges: + type: array + nullable: true + items: + type: string + pattern: '^(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\/(\d|[1-2]\d|3[0-2])$' + clone: + type: object + required: + - cluster + properties: + cluster: + type: string + s3_endpoint: + type: string + s3_access_key_id: + type: string + s3_secret_access_key: + type: string + s3_force_path_style: + type: boolean + s3_wal_path: + type: string + timestamp: + type: string + pattern: '^([0-9]+)-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]+)?(([+-]([01][0-9]|2[0-3]):[0-5][0-9]))$' + # The regexp matches the date-time format (RFC 3339 Section 5.6) that specifies a timezone as an offset relative to UTC + # Example: 1996-12-19T16:39:57-08:00 + # Note: this field requires a timezone + uid: + format: uuid + type: string + connectionPooler: + type: object + properties: + dockerImage: + type: string + maxDBConnections: + type: integer + mode: + type: string + enum: + - "session" + - "transaction" + numberOfInstances: + type: integer + minimum: 1 + resources: + type: object + properties: + limits: + type: object + properties: + cpu: + type: string + pattern: '^(\d+m|\d+(\.\d{1,3})?)$' + memory: + type: string + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + requests: + type: object + properties: + cpu: + type: string + pattern: '^(\d+m|\d+(\.\d{1,3})?)$' + memory: + type: string + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + schema: + type: string + user: + type: string + databases: + type: object + additionalProperties: + type: string + # Note: usernames specified here as database owners must be declared in the users key of the spec key. + dockerImage: + type: string + enableConnectionPooler: + type: boolean + enableReplicaConnectionPooler: + type: boolean + enableLogicalBackup: + type: boolean + enableMasterLoadBalancer: + type: boolean + enableMasterPoolerLoadBalancer: + type: boolean + enableReplicaLoadBalancer: + type: boolean + enableReplicaPoolerLoadBalancer: + type: boolean + enableShmVolume: + type: boolean + env: + type: array + nullable: true + items: + type: object + x-kubernetes-preserve-unknown-fields: true + init_containers: + type: array + description: deprecated + nullable: true + items: + type: object + x-kubernetes-preserve-unknown-fields: true + initContainers: + type: array + nullable: true + items: + type: object + x-kubernetes-preserve-unknown-fields: true + logicalBackupSchedule: + type: string + pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$' + maintenanceWindows: + type: array + items: + type: string + pattern: '^\ *((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))-((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))\ *$' + masterServiceAnnotations: + type: object + additionalProperties: + type: string + nodeAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + required: + - preference + - weight + properties: + preference: + type: object + properties: + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + weight: + format: int32 + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + type: array + items: + type: object + properties: + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + numberOfInstances: + type: integer + minimum: 0 + patroni: + type: object + properties: + failsafe_mode: + type: boolean + initdb: + type: object + additionalProperties: + type: string + loop_wait: + type: integer + maximum_lag_on_failover: + type: integer + pg_hba: + type: array + items: + type: string + retry_timeout: + type: integer + slots: + type: object + additionalProperties: + type: object + additionalProperties: + type: string + synchronous_mode: + type: boolean + synchronous_mode_strict: + type: boolean + synchronous_node_count: + type: integer + ttl: + type: integer + podAnnotations: + type: object + additionalProperties: + type: string + pod_priority_class_name: + type: string + description: deprecated + podPriorityClassName: + type: string + postgresql: + type: object + required: + - version + properties: + version: + type: string + enum: + - "10" + - "11" + - "12" + - "13" + - "14" + - "15" + parameters: + type: object + additionalProperties: + type: string + preparedDatabases: + type: object + additionalProperties: + type: object + properties: + defaultUsers: + type: boolean + extensions: + type: object + additionalProperties: + type: string + schemas: + type: object + additionalProperties: + type: object + properties: + defaultUsers: + type: boolean + defaultRoles: + type: boolean + secretNamespace: + type: string + replicaLoadBalancer: + type: boolean + description: deprecated + replicaServiceAnnotations: + type: object + additionalProperties: + type: string + resources: + type: object + properties: + limits: + type: object + properties: + cpu: + type: string + # Decimal natural followed by m, or decimal natural followed by + # dot followed by up to three decimal digits. + # + # This is because the Kubernetes CPU resource has millis as the + # maximum precision. The actual values are checked in code + # because the regular expression would be huge and horrible and + # not very helpful in validation error messages; this one checks + # only the format of the given number. + # + # https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu + pattern: '^(\d+m|\d+(\.\d{1,3})?)$' + # Note: the value specified here must not be zero or be lower + # than the corresponding request. + memory: + type: string + # You can express memory as a plain integer or as a fixed-point + # integer using one of these suffixes: E, P, T, G, M, k. You can + # also use the power-of-two equivalents: Ei, Pi, Ti, Gi, Mi, Ki + # + # https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + # Note: the value specified here must not be zero or be higher + # than the corresponding limit. + requests: + type: object + properties: + cpu: + type: string + pattern: '^(\d+m|\d+(\.\d{1,3})?)$' + memory: + type: string + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + schedulerName: + type: string + serviceAnnotations: + type: object + additionalProperties: + type: string + sidecars: + type: array + nullable: true + items: + type: object + x-kubernetes-preserve-unknown-fields: true + spiloRunAsUser: + type: integer + spiloRunAsGroup: + type: integer + spiloFSGroup: + type: integer + standby: + type: object + properties: + s3_wal_path: + type: string + gs_wal_path: + type: string + standby_host: + type: string + standby_port: + type: string + oneOf: + - required: + - s3_wal_path + - required: + - gs_wal_path + - required: + - standby_host + streams: + type: array + items: + type: object + required: + - applicationId + - database + - tables + properties: + applicationId: + type: string + batchSize: + type: integer + database: + type: string + filter: + type: object + additionalProperties: + type: string + tables: + type: object + additionalProperties: + type: object + required: + - eventType + properties: + eventType: + type: string + idColumn: + type: string + payloadColumn: + type: string + teamId: + type: string + tls: + type: object + required: + - secretName + properties: + secretName: + type: string + certificateFile: + type: string + privateKeyFile: + type: string + caFile: + type: string + caSecretName: + type: string + tolerations: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: + - Equal + - Exists + value: + type: string + effect: + type: string + enum: + - NoExecute + - NoSchedule + - PreferNoSchedule + tolerationSeconds: + type: integer + useLoadBalancer: + type: boolean + description: deprecated + users: + type: object + additionalProperties: + type: array + nullable: true + items: + type: string + enum: + - bypassrls + - BYPASSRLS + - nobypassrls + - NOBYPASSRLS + - createdb + - CREATEDB + - nocreatedb + - NOCREATEDB + - createrole + - CREATEROLE + - nocreaterole + - NOCREATEROLE + - inherit + - INHERIT + - noinherit + - NOINHERIT + - login + - LOGIN + - nologin + - NOLOGIN + - replication + - REPLICATION + - noreplication + - NOREPLICATION + - superuser + - SUPERUSER + - nosuperuser + - NOSUPERUSER + usersWithInPlaceSecretRotation: + type: array + nullable: true + items: + type: string + usersWithSecretRotation: + type: array + nullable: true + items: + type: string + volume: + type: object + required: + - size + properties: + iops: + type: integer + selector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + enum: + - DoesNotExist + - Exists + - In + - NotIn + values: + type: array + items: + type: string + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + size: + type: string + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + # Note: the value specified here must not be zero. + storageClass: + type: string + subPath: + type: string + throughput: + type: integer + status: + type: object + additionalProperties: + type: string diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/resource.yaml new file mode 100644 index 0000000000..d6c04ec7bc --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/resource.yaml @@ -0,0 +1,21 @@ +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: acid-minimal-cluster + namespace: test-validate +spec: + teamId: "acid" + volume: + size: 1Gi + numberOfInstances: 2 + users: + # database owner + zalando: + - superuser + - createdb + + #databases: name->owner + databases: + foo: zalando + postgresql: + version: "15" diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/chainsaw-step-01-apply-1-2.yaml index feafcffd9a..4d2560164e 100755 --- a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/chainsaw-step-01-apply-1-2.yaml @@ -11,9 +11,9 @@ spec: - acid.zalan.do/v1/postgresql name: test-rule validate: + validationFailureAction: Enforce message: The label app=foo is required pattern: metadata: labels: app: foo - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/README.md new file mode 100644 index 0000000000..1701aff0cc --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that request.oldObject is not null on UPDATE operations when there are multiple rules in a policy. + +## Expected Behavior + +The namespace update operation is allowed. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/9885 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..7561c61d54 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: check-old-object +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns-ready.yaml + - name: step-03 + try: + - apply: + file: ns-update.yaml diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-ready.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-ready.yaml new file mode 100644 index 0000000000..e9a1593c43 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test + labels: + kubernetes.io/metadata.name: test + size: large diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-update.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-update.yaml new file mode 100644 index 0000000000..064e3edcdb --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-update.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test + labels: + kubernetes.io/metadata.name: test + size: small diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns.yaml new file mode 100644 index 0000000000..e9a1593c43 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test + labels: + kubernetes.io/metadata.name: test + size: large diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..b8d67ef819 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-old-object diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy.yaml new file mode 100644 index 0000000000..238bfab9ae --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-old-object +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-labels + match: + all: + - resources: + operations: + - CREATE + - UPDATE + kinds: + - Namespace + validate: + message: "The label `size` is required" + pattern: + metadata: + labels: + size: "small | medium | large" + - name: check-old-object + match: + all: + - resources: + operations: + - UPDATE + kinds: + - Namespace + validate: + message: "request.oldObject cannot be null for update requests" + deny: + conditions: + all: + - key: "{{ request.oldObject.metadata == null }}" + operator: Equals + value: true diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists/policy.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists/policy.yaml index 238bfab9ae..e4681293c5 100644 --- a/test/conformance/chainsaw/validate/e2e/old-object-exists/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/old-object-exists/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-old-object spec: - validationFailureAction: Enforce background: false rules: - name: require-labels @@ -16,6 +15,7 @@ spec: kinds: - Namespace validate: + validationFailureAction: Enforce message: "The label `size` is required" pattern: metadata: @@ -30,6 +30,7 @@ spec: kinds: - Namespace validate: + validationFailureAction: Enforce message: "request.oldObject cannot be null for update requests" deny: conditions: diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/README.md new file mode 100644 index 0000000000..40552dbb9b --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test is migrated from e2e. It tests an imageRegistry context lookup for a "real" image and states that an image built to run as root can only come from GHCR. + +## Expected Behavior + +If an image is built to run as root user and it does NOT come from GHCR, the Pod is blocked. If it either isn't built to run as root OR it is built to run as root and does come from GHCR, it is allowed. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/bad.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/bad.yaml new file mode 100644 index 0000000000..1fd8d42096 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/bad.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-root-user-dockerhub + # namespace: default +spec: + containers: + - name: ubuntu + image: ubuntu:bionic \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 0000000000..f39c4f72f0 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: root-pod-from-trusted-registry +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:unsigned + name: kyverno diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..068dd1ced9 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: trusted-images +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad.yaml diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..a8eeb9b888 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-trustable-images +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy.yaml new file mode 100644 index 0000000000..6a424882df --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-trustable-images +spec: + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: only-allow-trusted-images + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + validate: + foreach: + - context: + - imageRegistry: + jmesPath: '{user: configData.config.User || '''', registry: registry}' + reference: '{{ element.image }}' + name: imageData + deny: + conditions: + all: + - key: '{{ imageData.user }}' + operator: Equals + value: "" + - key: '{{ imageData.registry }}' + operator: NotEquals + value: ghcr.io + list: request.object.spec.containers + message: images with root user are not allowed + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml index 6a424882df..c5c18f265c 100644 --- a/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml @@ -19,6 +19,7 @@ spec: operator: NotEquals value: DELETE validate: + validationFailureAction: Enforce foreach: - context: - imageRegistry: @@ -36,4 +37,3 @@ spec: value: ghcr.io list: request.object.spec.containers message: images with root user are not allowed - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/README.md new file mode 100644 index 0000000000..9df9119997 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test is migrated from e2e. It tests basic functionality of the x509_decode JMESPath filter. + +## Expected Behavior + +The `test-bad-configmap` should fail and the `test-good-configmap` should succeed. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/bad.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/bad.yaml new file mode 100644 index 0000000000..5b488bde03 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/bad.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-bad-configmap +data: + cert: | + -----BEGIN CERTIFICATE----- + MIIDSjCCAjKgAwIBAgIUWxmj40l+TDVJq98Xy7c6Leo3np8wDQYJKoZIhvcNAQEL + BQAwPTELMAkGA1UEBhMCeHgxCjAIBgNVBAgTAXgxCjAIBgNVBAcTAXgxCjAIBgNV + BAoTAXgxCjAIBgNVBAsTAXgwHhcNMTgwMjAyMTIzODAwWhcNMjMwMjAxMTIzODAw + WjA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UE + ChMBeDEKMAgGA1UECxMBeDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + ANHkqOmVf23KMXdaZU2eFUx1h4wb09JINBB8x/HL7UE0KFJcnOoVnNQB0gRukUop + iYCzrzMFyGWWmB/pAEKool+ZiI2uMy6mcYBDtOi4pOm7U0TQQMV6L/5Yfi65xRz3 + RTMd/tYAoFi4aCZbJAGjxU6UWNYDzTy8E/cP6ZnlNbVHRiA6/wHsoWcXtWTXYP5y + n9cf7EWQi1hOBM4BWmOIyB1f6LEgQipZWMOMPPHO3hsuSBn0rk7jovSt5XTlbgRr + txqAJiNjJUykWzIF+lLnZCioippGv5vkdGvE83JoACXvZTUwzA+MLu49fkw3bweq + kbhrer8kacjfGlw3aJN37eECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud + EwEB/wQFMAMBAf8wHQYDVR0OBBYEFKXcb52bv6oqnD+D9fTNFHZL8IWxMA0GCSqG + SIb3DQEBCwUAA4IBAQADvKvv3ym0XAYwKxPLLl3Lc6sJYHDbTN0donduG7PXeb1d + huukJ2lfufUYp2IGSAxuLecTYeeByOVp1gaMb5LsIGt2BVDmlMMkiH29LUHsvbyi + 85CpJo7A5RJG6AWW2VBCiDjz5v8JFM6pMkBRFfXH+pwIge65CE+MTSQcfb1/aIIo + Q226P7E/3uUGX4k4pDXG/O7GNvykF40v1DB5y7DDBTQ4JWiJfyGkT69TmdOGLFAm + jwxUjWyvEey4qJex/EGEm5RQcMv9iy7tba1wK7sykNGn5uDELGPGIIEAa5rIHm1F + UFOZZVoELaasWS559wy8og39Eq21dDMynb8Bndn/ + -----END CERTIFICATE----- + certB64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM3VENDQWRXZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFZTVJZd0ZBWURWUVFEREEwcUxtdDUKZG1WeWJtOHVjM1pqTUI0WERUSXlNREV4TVRFek1qWTBNMW9YRFRJek1ERXhNVEUwTWpZME0xb3dHREVXTUJRRwpBMVVFQXd3TktpNXJlWFpsY201dkxuTjJZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTXNBejg1K3lpbm8rTW1kS3NWdEh3Tmkzb0FWanVtelhIaUxmVUpLN3hpNUtVOEI3Z29QSEYvVkNlL1YKN1kyYzRhZnlmZ1kyZVB3NEx4U0RrQ1lOZ1l3cWpTd0dJYmNzcXY1WlJhekJkRHhSMDlyaTZQa25OeUJWR0xpNQpSbFBYSXJHUTNwc051ZjU1cXd4SnhMTzMxcUNadXZrdEtZNVl2dUlSNEpQbUJodVNGWE9ubjBaaVF3OHV4TWNRCjBRQTJseitQeFdDVk5rOXErMzFINURIMW9ZWkRMZlUzbWlqSU9BK0FKR1piQmIrWndCbXBWTDArMlRYTHhFNzQKV293ZEtFVitXVHNLb2pOVGQwVndjdVJLUktSLzZ5blhBQWlzMjF5MVg3VWk5RkpFNm1ESXlsVUQ0MFdYT0tHSgoxbFlZNDFrUm5ZaFZodlhZTjlKdE5ZZFkzSHNDQXdFQUFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnS2tNQThHCkExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk9ubEFTVkQ5ZnUzVEFqcHRsVy9nQVhBNHFsK01BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNJcHlSaUNoeHA5N2NyS2ZRMjRKdDd6OFArQUdwTGYzc1g0ZUw4N0VTYQo3UVJvVkp0WExtYXV0MXBVRW9ZTFFydUttaC8wWUZ0Wkc5V3hWZ1k2aXVLYldudTdiT2VNQi9JcitWL3lyWDNSCitYdlpPc3VYaUpuRWJKaUJXNmxKekxsZG9XNGYvNzFIK2oxV0Q0dEhwcW1kTXhxL3NMcVhmUEl1YzAvbTB5RkMKbitBREJXR0dCOE5uNjZ2eHR2K2NUNnArUklWb3RYUFFXYk1pbFdwNnBkNXdTdUI2OEZxckR3dFlMTkp0UHdGcwo5TVBWa3VhSmRZWjBlV2Qvck1jS0Q5NEhnZjg5Z3ZBMCtxek1WRmYrM0JlbVhza2pRUll5NkNLc3FveUM2alg0Cm5oWWp1bUFQLzdwc2J6SVRzbnBIdGZDRUVVKzJKWndnTTQwNmFpTWNzZ0xiCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-step-03-apply-1-1.yaml new file mode 100755 index 0000000000..f7d22d7103 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-step-03-apply-1-1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +data: + cert: | + -----BEGIN CERTIFICATE----- + MIIDSjCCAjKgAwIBAgIUWxmj40l+TDVJq98Xy7c6Leo3np8wDQYJKoZIhvcNAQEL + BQAwPTELMAkGA1UEBhMCeHgxCjAIBgNVBAgTAXgxCjAIBgNVBAcTAXgxCjAIBgNV + BAoTAXgxCjAIBgNVBAsTAXgwHhcNMTgwMjAyMTIzODAwWhcNMjMwMjAxMTIzODAw + WjA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UE + ChMBeDEKMAgGA1UECxMBeDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + ANHkqOmVf23KMXdaZU2eFUx1h4wb09JINBB8x/HL7UE0KFJcnOoVnNQB0gRukUop + iYCzrzMFyGWWmB/pAEKool+ZiI2uMy6mcYBDtOi4pOm7U0TQQMV6L/5Yfi65xRz3 + RTMd/tYAoFi4aCZbJAGjxU6UWNYDzTy8E/cP6ZnlNbVHRiA6/wHsoWcXtWTXYP5y + n9cf7EWQi1hOBM4BWmOIyB1f6LEgQipZWMOMPPHO3hsuSBn0rk7jovSt5XTlbgRr + txqAJiNjJUykWzIF+lLnZCioippGv5vkdGvE83JoACXvZTUwzA+MLu49fkw3bweq + kbhrer8kacjfGlw3aJN37eECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud + EwEB/wQFMAMBAf8wHQYDVR0OBBYEFKXcb52bv6oqnD+D9fTNFHZL8IWxMA0GCSqG + SIb3DQEBCwUAA4IBAQADvKvv3ym0XAYwKxPLLl3Lc6sJYHDbTN0donduG7PXeb1d + huukJ2lfufUYp2IGSAxuLecTYeeByOVp1gaMb5LsIGt2BVDmlMMkiH29LUHsvbyi + 85CpJo7A5RJG6AWW2VBCiDjz5v8JFM6pMkBRFfXH+pwIge65CE+MTSQcfb1/aIIo + Q226P7E/3uUGX4k4pDXG/O7GNvykF40v1DB5y7DDBTQ4JWiJfyGkT69TmdOGLFAm + jwxUjWyvEey4qJex/EGEm5RQcMv9iy7tba1wK7sykNGn5uDELGPGIIEAa5rIHm1F + UFOZZVoELaasWS559wy8og39Eq21dDMynb8Bndn/ + -----END CERTIFICATE----- + certB64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTakNDQWpLZ0F3SUJBZ0lVV3htajQwbCtURFZKcTk4WHk3YzZMZW8zbnA4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1BURUxNQWtHQTFVRUJoTUNlSGd4Q2pBSUJnTlZCQWdUQVhneENqQUlCZ05WQkFjVEFYZ3hDakFJQmdOVgpCQW9UQVhneENqQUlCZ05WQkFzVEFYZ3dIaGNOTVRnd01qQXlNVEl6T0RBd1doY05Nak13TWpBeE1USXpPREF3CldqQTlNUXN3Q1FZRFZRUUdFd0o0ZURFS01BZ0dBMVVFQ0JNQmVERUtNQWdHQTFVRUJ4TUJlREVLTUFnR0ExVUUKQ2hNQmVERUtNQWdHQTFVRUN4TUJlRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQgpBTkhrcU9tVmYyM0tNWGRhWlUyZUZVeDFoNHdiMDlKSU5CQjh4L0hMN1VFMEtGSmNuT29Wbk5RQjBnUnVrVW9wCmlZQ3pyek1GeUdXV21CL3BBRUtvb2wrWmlJMnVNeTZtY1lCRHRPaTRwT203VTBUUVFNVjZMLzVZZmk2NXhSejMKUlRNZC90WUFvRmk0YUNaYkpBR2p4VTZVV05ZRHpUeThFL2NQNlpubE5iVkhSaUE2L3dIc29XY1h0V1RYWVA1eQpuOWNmN0VXUWkxaE9CTTRCV21PSXlCMWY2TEVnUWlwWldNT01QUEhPM2hzdVNCbjByazdqb3ZTdDVYVGxiZ1JyCnR4cUFKaU5qSlV5a1d6SUYrbExuWkNpb2lwcEd2NXZrZEd2RTgzSm9BQ1h2WlRVd3pBK01MdTQ5Zmt3M2J3ZXEKa2JocmVyOGthY2pmR2x3M2FKTjM3ZUVDQXdFQUFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQThHQTFVZApFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRktYY2I1MmJ2Nm9xbkQrRDlmVE5GSFpMOElXeE1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUFEdkt2djN5bTBYQVl3S3hQTExsM0xjNnNKWUhEYlROMGRvbmR1RzdQWGViMWQKaHV1a0oybGZ1ZlVZcDJJR1NBeHVMZWNUWWVlQnlPVnAxZ2FNYjVMc0lHdDJCVkRtbE1Na2lIMjlMVUhzdmJ5aQo4NUNwSm83QTVSSkc2QVdXMlZCQ2lEano1djhKRk02cE1rQlJGZlhIK3B3SWdlNjVDRStNVFNRY2ZiMS9hSUlvClEyMjZQN0UvM3VVR1g0azRwRFhHL083R052eWtGNDB2MURCNXk3RERCVFE0SldpSmZ5R2tUNjlUbWRPR0xGQW0Kand4VWpXeXZFZXk0cUpleC9FR0VtNVJRY012OWl5N3RiYTF3SzdzeWtOR241dURFTEdQR0lJRUFhNXJJSG0xRgpVRk9aWlZvRUxhYXNXUzU1OXd5OG9nMzlFcTIxZERNeW5iOEJuZG4vCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K +kind: ConfigMap +metadata: + name: test-good-configmap diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..671c968e8f --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: x509-decode +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad.yaml + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..f83bb3d222 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-x509-decode +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy.yaml new file mode 100644 index 0000000000..88ab88b726 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-x509-decode +spec: + validationFailureAction: Enforce + rules: + - name: test-x509-decode + match: + any: + - resources: + kinds: + - ConfigMap + names: + - test-* + validate: + message: "public key modulus mismatch: \"{{ x509_decode('{{request.object.data.cert}}').PublicKey.N }}\" != \"{{ x509_decode('{{base64_decode('{{request.object.data.certB64}}')}}').PublicKey.N }}\"" + deny: + conditions: + any: + - key: "{{ x509_decode('{{request.object.data.cert}}').PublicKey.N }}" + operator: NotEquals + value: "{{ x509_decode('{{base64_decode('{{request.object.data.certB64}}')}}').PublicKey.N }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml index 88ab88b726..edd6cd828b 100644 --- a/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: test-x509-decode spec: - validationFailureAction: Enforce rules: - name: test-x509-decode match: @@ -14,6 +13,7 @@ spec: names: - test-* validate: + validationFailureAction: Enforce message: "public key modulus mismatch: \"{{ x509_decode('{{request.object.data.cert}}').PublicKey.N }}\" != \"{{ x509_decode('{{base64_decode('{{request.object.data.certB64}}')}}').PublicKey.N }}\"" deny: conditions: diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml index bab429a6ac..05347b3d26 100644 --- a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate-resources spec: - validationFailureAction: Enforce background: false rules: - name: validate-resources @@ -31,6 +30,7 @@ spec: namespace: kube-system name: deployment-controller validate: + validationFailureAction: Enforce manifests: attestors: - entries: