mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
* add test cpol-data-sync-delete-downstream * add test cpol-data-sync-modify-downstream * rename to be more descriptive * add test pol-data-sync-delete-downstream * cleanup test * add test cpol-data-nosync-delete-rule * add test cpol-data-nosync-delete-policy * fix formatting * add Kyverno kuttl specific snippets to BEST_PRACTICES * add reminder note * add test cpol-data-nosync-modify-rule * add test cpol-data-nosync-modify-downstream * add test pol-data-nosync-create-policy-invalid * add test pol-data-sync-delete-policy * separate files * add test pol-data-nosync-delete-downstream * add test pol-data-nosync-delete-rule * add test pol-data-nosync-delete-policy * fix description * fix description * add test pol-data-nosync-modify-rule * add test pol-data-nosync-modify-downstream * add test existing-basic-create-data * add test existing-basic-create-preconditions-data * add basic clone multiple test * add delays * add generate permissions * reorder source and ClusterPolicy, cleanup removal, README update * add test for cascading-mutation * Change creation order, remove cleanup * increase sleep * remove unused test files * remove networkpolicies from perms * add networkpolicies back * clarify readme --------- Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
df5774f1bb
commit
3d8d29b7e6
186 changed files with 2137 additions and 40 deletions
|
|
@ -1,6 +1,41 @@
|
|||
# Some Best Practices
|
||||
## Some Best Practices
|
||||
|
||||
* Don't put anything in index `00` so it can be used in the future.
|
||||
* A final clean-up stage/file is not needed unless a resource was created using a Script. Use scripts sparingly!
|
||||
* The `*-errors.yaml` file, like an `*-assert.yaml` file only performs an existence check, not a creation check.
|
||||
* One test can contain both positive and negative tests by extending the test case. No need to write separate.
|
||||
* One test can contain both positive and negative tests by extending the test case. No need to write separate.
|
||||
|
||||
## Kyverno kuttl specifics
|
||||
|
||||
Kyverno's fork of kuttl adds several new features not found in the upstream. These features were added to make testing Kyverno's many capabilities easier and more intuitive. Below are some sample TestStep contents which illustrate these features
|
||||
|
||||
### Apply, Assert, Errors, Deletes
|
||||
|
||||
A TestStep file can declare apply, assert, errors, and deletions by naming the files that should be checked or specifying an object (in the case of delete). These do not all have to be used together.
|
||||
|
||||
```yaml
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
error:
|
||||
- configmap-rejected.yaml
|
||||
delete:
|
||||
- apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: podsecurity-subrule-restricted
|
||||
```
|
||||
|
||||
### Checking for creation failures
|
||||
|
||||
When the expected behavior for a given manifest's creation should be that it fails (i.e., you want and expect to see it fail), a TestStep can declare this without needing to use a script.
|
||||
|
||||
```yaml
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- file: cleanuppolicy-with-subjects.yaml
|
||||
shouldFail: true
|
||||
```
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
|
||||
## Note that the need for this type of script is deprecated in favor of Kyverno kuttl's feature allowing a TestStep to
|
||||
## indicate that creation of a file should fail. See the BEST_PRACTICES.md file for an example.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- manifests.yaml
|
||||
- policy.yaml
|
||||
assert:
|
||||
- cluster-policy-ready.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- ns.yaml
|
||||
assert:
|
||||
- resource-assert.yaml
|
||||
error:
|
||||
- fail-resources.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic creation test of the "clone multiple" feature that ensures resources are created as expected by selecting the sources based upon label.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the `citrine` Namespace receives a Secret named `opal-secret` and a ConfigMap named `opal-cm`, the test passes. If it either does not receive one of these or it additionally receives a Secret named `forbidden`, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-multiple-basic-create-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
thisshouldnotbe: clonedanywhere
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: forbidden
|
||||
namespace: citrine
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: opal
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
gemstone: b3BhbA==
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: opal-secret
|
||||
namespace: opal
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
gemstone: opal
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: opal-cm
|
||||
namespace: opal
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
thisshouldnotbe: clonedanywhere
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: forbidden
|
||||
namespace: opal
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: citrine
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-multiple-basic-create-policy
|
||||
spec:
|
||||
rules:
|
||||
- name: clone-multiple-basic-create-policy-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize: true
|
||||
cloneList:
|
||||
namespace: opal
|
||||
kinds:
|
||||
- v1/Secret
|
||||
- v1/ConfigMap
|
||||
selector:
|
||||
matchLabels:
|
||||
allowedToBeCloned: "true"
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
gemstone: b3BhbA==
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
name: opal-secret
|
||||
namespace: citrine
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
gemstone: opal
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
name: opal-cm
|
||||
namespace: citrine
|
||||
|
|
@ -1,3 +1,12 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: default
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
|
|
@ -18,13 +27,4 @@ spec:
|
|||
synchronize: true
|
||||
clone:
|
||||
namespace: default
|
||||
name: regcred
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: default
|
||||
type: Opaque
|
||||
name: regcred
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -1,3 +1,11 @@
|
|||
# Title
|
||||
## Description
|
||||
|
||||
This is a generate test to ensure a cloned secret shows properly in the new Namespace.
|
||||
This is a basic generate test to ensure a cloned secret shows properly in the new Namespace.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource is created, the test passes. If it is not created, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -1,3 +1,12 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: default
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
|
|
@ -19,12 +28,3 @@ spec:
|
|||
clone:
|
||||
namespace: default
|
||||
name: regcred
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: default
|
||||
type: Opaque
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -1,3 +1,11 @@
|
|||
# Title
|
||||
|
||||
This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled deletes the downstream ConfigMap when matching a new Namespace.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the generated (downstream) resource is not recreated, the test passes. If it is recreated from the definition in the rule, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-generated.yaml
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
delete:
|
||||
- apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: cpol-data-nosync-delete-policy-policy
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: wolfram-debug
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule with a data declaration and NO synchronization, when the ClusterPolicy is deleted does NOT cause the generated resources to be deleted.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource remains after deletion of the ClusterPolicy, the test passes. If it is deleted, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-policy-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-policy-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-delete-policy-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: wolfram-debug
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: wolfram-debug
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-generated.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy-with-rule-removed.yaml
|
||||
assert:
|
||||
- both-resources-exist.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a rule within a policy having two rules is deleted does NOT cause any of the generated resources corresponding to that removed rule to be deleted.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If both generated resources remain after deletion of the rule, the test passes. If either one is deleted, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trench-splendid
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
name: supersecret
|
||||
namespace: trench-splendid
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-rule-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-rule-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-delete-rule-ruletwo
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: supersecret
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-rule-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-delete-rule-ruleone
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
- name: cpol-data-nosync-delete-rule-ruletwo
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: supersecret
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trench-splendid
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
name: supersecret
|
||||
namespace: trench-splendid
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: trench-splendid
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-generated.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- downstream-modified.yaml
|
||||
assert:
|
||||
- downstream-untouched.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a downstream (generated) resource is modified this does NOT result in those modifications getting reverted based upon the definition in the rule.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource is left in the modified state, the test passes. If the downstream resource is synced from the definition in the rule, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: hereissomenewdataichanged
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: selected-beagle
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: hereissomenewdataichanged
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: selected-beagle
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-downstream-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-downstream-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-modify-downstream-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: selected-beagle
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: selected-beagle
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-generated.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- rule-modified.yaml
|
||||
assert:
|
||||
- downstream-untouched.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a rule within a policy is changed (under the data object) that this does NOT cause the downstream resource to be synced.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource is NOT modified from its initial generation, the test passes. If the downstream resource is synced from the changes made to the rule, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: stern-liquid
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-rule-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-rule-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-modify-rule-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: stern-liquid
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: stern-liquid
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-rule-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-modify-rule-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "ihavechangedthis"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-delete-downstream-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-delete-downstream-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-sync-delete-downstream-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: falcon-heavy
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: falcon-heavy
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
delete:
|
||||
- apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: falcon-heavy
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: falcon-heavy
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that when a standard generate policy with data type and sync enabled is used, deletion of the generated/downstream resource causes Kyverno to re-create the resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the resource is recreated, the test passes. If it is not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-modify-downstream-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-modify-downstream-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-sync-modify-downstream-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trainer
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: trainer
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: ichangedthis
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trainer
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trainer
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that when a standard generate policy with data type and sync enabled is used, modification of the generated/downstream resource causes Kyverno to sync the resource from the definition in the rule.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the resource is synced from the definition in the rule, the test passes. If it is not and remains in the modified state, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- existing-resources.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 5
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
assert:
|
||||
- generated-resources.yaml
|
||||
error:
|
||||
- fail-generated-resources.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic creation test for a "generate existing" policy. It checks that the basic functionality works whereby installation of the policy causes correct evaluation of the match block resulting in generation of resources in only the matching result.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If only the `red-ns` Namespace receives a generated NetworkPolicy, the test passes. If either it does not or `green-ns` or `winter-ns` receive NetworkPolicies, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: red-ns
|
||||
labels:
|
||||
color: red
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: green-ns
|
||||
labels:
|
||||
color: green
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: winter-ns
|
||||
labels:
|
||||
season: winter
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
labels:
|
||||
created-by: kyverno
|
||||
name: default-deny
|
||||
namespace: green-ns
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
labels:
|
||||
created-by: kyverno
|
||||
name: default-deny
|
||||
namespace: winter-ns
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
labels:
|
||||
created-by: kyverno
|
||||
name: default-deny
|
||||
namespace: red-ns
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: existing-basic-create-data-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: existing-basic-create-data-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- name: existing-basic-create-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
selector:
|
||||
matchLabels:
|
||||
color: red
|
||||
generate:
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
name: default-deny
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize: true
|
||||
data:
|
||||
metadata:
|
||||
labels:
|
||||
created-by: kyverno
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- existing-resources.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
assert:
|
||||
- generated-resources.yaml
|
||||
error:
|
||||
- fail-generated-resources.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic creation test for a "generate existing" policy with preconditions. It checks that the basic functionality works whereby installation of the policy causes correct evaluation of the match and preconditions blocks.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If only the `jupiter` Namespace receives a generated ConfigMap, the test passes. If either it does not or `venus` receives a ConfigMap, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: jupiter
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: test-lb
|
||||
namespace: jupiter
|
||||
spec:
|
||||
ports:
|
||||
- name: web
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: web
|
||||
selector:
|
||||
app.kubernetes.io/instance: jupiter-foobar
|
||||
type: LoadBalancer
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: venus
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: redis
|
||||
name: venus-clusterip-svc
|
||||
namespace: venus
|
||||
spec:
|
||||
ports:
|
||||
- name: tcp-redis
|
||||
port: 6379
|
||||
protocol: TCP
|
||||
targetPort: 6379
|
||||
selector:
|
||||
app.kubernetes.io/name: venus-redis
|
||||
type: ClusterIP
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
doeshavesvclb: "true"
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mylb-cm
|
||||
namespace: venus
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
doeshavesvclb: "true"
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mylb-cm
|
||||
namespace: jupiter
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: existing-basic-create-data-preconditions-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: existing-basic-create-data-preconditions-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- name: existing-basic-create-data-preconditions-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Service
|
||||
preconditions:
|
||||
any:
|
||||
- key: "{{request.object.spec.type}}"
|
||||
operator: Equals
|
||||
value: LoadBalancer
|
||||
generate:
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
name: mylb-cm
|
||||
namespace: "{{request.object.metadata.namespace}}"
|
||||
synchronize: true
|
||||
data:
|
||||
data:
|
||||
doeshavesvclb: "true"
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- file: ns.yaml
|
||||
shouldFail: false
|
||||
- file: policy.yaml
|
||||
shouldFail: true
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a "bad" Policy (Namespaced) cannot be created which attempts to generate a resource into a different Namespace from that in which the Policy exists.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the Policy cannot be created, the test passes. If it is allowed to be created, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: indigiored
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: pol-data-nosync-create-policy-invalid-policy
|
||||
namespace: indigiored
|
||||
spec:
|
||||
rules:
|
||||
- name: pol-data-nosync-create-policy-invalid-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: kindbrown
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- secret.yaml
|
||||
assert:
|
||||
- generated-configmap.yaml
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue