chore: add tests for exceptions in the CLI (#9781)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

test/cli/test-exceptions/exceptions-1/exception.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: delta-exception
+  namespace: delta
+spec:
+  exceptions:
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        namespaces:
+        - delta
+        names:
+        - important-tool*

test/cli/test-exceptions/exceptions-1/kyverno-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: cli.kyverno.io/v1alpha1
+exceptions:
+- exception.yaml
+kind: Test
+metadata:
+  name: kyverno-test
+policies:
+- policy.yaml
+resources:
+- resources.yaml
+results:
+- kind: Deployment
+  policy: disallow-host-namespaces
+  resources:
+  - bad-deployment
+  result: fail
+  rule: autogen-host-namespaces
+- kind: Deployment
+  policy: disallow-host-namespaces
+  resources:
+  - good-deployment
+  result: pass
+  rule: autogen-host-namespaces
+- kind: Deployment
+  policy: disallow-host-namespaces
+  resources:
+  - important-tool
+  result: skip
+  rule: autogen-host-namespaces

test/cli/test-exceptions/exceptions-1/policy.yaml

@@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-namespaces
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: host-namespaces
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        message: >-
+          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
+          spec.hostIPC, and spec.hostPID must be unset or set to `false`.          
+        pattern:
+          spec:
+            =(hostPID): "false"
+            =(hostIPC): "false"
+            =(hostNetwork): "false"

test/cli/test-exceptions/exceptions-1/resources.yaml

@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: important-tool
+  namespace: delta
+  labels:
+    app: busybox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      hostIPC: true
+      containers:
+      - image: busybox:1.35
+        name: busybox
+        command: ["sleep", "1d"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bad-deployment
+  labels:
+    app: busybox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      hostIPC: true
+      containers:
+      - image: busybox:1.35
+        name: busybox
+        command: ["sleep", "1d"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-deployment
+  labels:
+    app: busybox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      hostIPC: false
+      containers:
+      - image: busybox:1.35
+        name: busybox
+        command: ["sleep", "1d"]

test/cli/test-exceptions/exceptions-2/exception.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: container-exception
+spec:
+  exceptions:
+  - policyName: max-containers
+    ruleNames:
+    - max-two-containers
+    - autogen-max-two-containers
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+  conditions:
+    any:
+    - key: "{{ request.object.metadata.labels.color || '' }}"
+      operator: Equals
+      value: blue

test/cli/test-exceptions/exceptions-2/kyverno-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: cli.kyverno.io/v1alpha1
+exceptions:
+- exception.yaml
+kind: Test
+metadata:
+  name: kyverno-test
+policies:
+- policy.yaml
+resources:
+- resources.yaml
+results:
+- kind: Deployment
+  policy: max-containers
+  resources:
+  - bad-deployment
+  result: fail
+  rule: autogen-max-two-containers
+- kind: Deployment
+  policy: max-containers
+  resources:
+  - good-deployment
+  result: pass
+  rule: autogen-max-two-containers
+- kind: Deployment
+  policy: max-containers
+  resources:
+  - excluded-deployment
+  result: skip
+  rule: autogen-max-two-containers

test/cli/test-exceptions/exceptions-2/policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: max-containers
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: max-two-containers
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "A maximum of 2 containers are allowed inside a Pod."
+      deny:
+        conditions:
+          any:
+          - key: "{{request.object.spec.containers[] | length(@)}}"
+            operator: GreaterThan
+            value: "2"

test/cli/test-exceptions/exceptions-2/resources.yaml

@@ -0,0 +1,140 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: excluded-deployment
+  labels:
+    app: my-app
+    color: blue
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+        color: blue
+    spec:
+      containers:
+        - name: nginx-container
+          image: nginx:latest
+          ports:
+            - containerPort: 80
+          resources:
+            limits:
+              cpu: "1"
+              memory: "256Mi"
+            requests:
+              cpu: "0.5"
+              memory: "128Mi"
+        - name: redis-container
+          image: redis:latest
+          ports:
+            - containerPort: 6379
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "512Mi"
+            requests:
+              cpu: "0.25"
+              memory: "256Mi"
+        - name: busybox-container
+          image: busybox:latest
+          command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"]
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "128Mi"
+            requests:
+              cpu: "0.25"
+              memory: "64Mi"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bad-deployment
+  labels:
+    app: my-app
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+    spec:
+      containers:
+        - name: nginx-container
+          image: nginx:latest
+          ports:
+            - containerPort: 80
+          resources:
+            limits:
+              cpu: "1"
+              memory: "256Mi"
+            requests:
+              cpu: "0.5"
+              memory: "128Mi"
+        - name: redis-container
+          image: redis:latest
+          ports:
+            - containerPort: 6379
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "512Mi"
+            requests:
+              cpu: "0.25"
+              memory: "256Mi"
+        - name: busybox-container
+          image: busybox:latest
+          command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"]
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "128Mi"
+            requests:
+              cpu: "0.25"
+              memory: "64Mi"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-deployment
+  labels:
+    app: my-app
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+    spec:
+      containers:
+        - name: nginx-container
+          image: nginx:latest
+          ports:
+            - containerPort: 80
+          resources:
+            limits:
+              cpu: "1"
+              memory: "256Mi"
+            requests:
+              cpu: "0.5"
+              memory: "128Mi"
+        - name: busybox-container
+          image: busybox:latest
+          command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"]
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "128Mi"
+            requests:
+              cpu: "0.25"
+              memory: "64Mi"

test/cli/test-exceptions/exceptions-3/exception.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: pod-security-exception
+  namespace: policy-exception-ns
+spec:
+  exceptions:
+  - policyName: psa
+    ruleNames:
+    - baseline
+  match:
+    any:
+    - resources:
+        namespaces:
+        - staging-ns
+  podSecurity:
+    - controlName: "HostPath Volumes"
+      restrictedField: "spec.volumes[*].hostPath"
+      values:
+      - "path"

test/cli/test-exceptions/exceptions-3/kyverno-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: cli.kyverno.io/v1alpha1
+exceptions:
+- exception.yaml
+kind: Test
+metadata:
+  name: kyverno-test
+policies:
+- policy.yaml
+resources:
+- resources.yaml
+results:
+- kind: Pod
+  policy: psa
+  resources:
+  - bad-pod
+  result: fail
+  rule: baseline
+- kind: Pod
+  policy: psa
+  resources:
+  - good-pod
+  result: pass
+  rule: baseline
+- kind: Pod
+  policy: psa
+  resources:
+  - excluded-pod
+  result: skip
+  rule: baseline

test/cli/test-exceptions/exceptions-3/policy.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: psa
+spec:
+  background: true
+  validationFailureAction: Enforce
+  rules:
+  - name: baseline
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      podSecurity:
+        level: baseline
+        version: latest

test/cli/test-exceptions/exceptions-3/resources.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: good-pod
+  namespace: default
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    args:
+    - sleep
+    - 1d
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: excluded-pod
+  namespace: staging-ns
+spec:
+  volumes:
+  - name: host
+    hostPath:
+      path: /var/lib1
+  containers:
+  - name: nginx
+    image: nginx
+    args:
+    - sleep
+    - 1d
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bad-pod
+  namespace: default
+spec:
+  volumes:
+  - name: host
+    hostPath:
+      path: /var/lib1
+  containers:
+  - name: nginx
+    image: nginx
+    args:
+    - sleep
+    - 1d