From 406cb5d32bd0811c0bc0443f96f2a8f49fa01107 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 26 Feb 2024 09:57:47 +0200 Subject: [PATCH] chore: add tests for exceptions in the CLI (#9781) Signed-off-by: Mariam Fahmy --- .../exceptions-1/exception.yaml | 21 +++ .../exceptions-1/kyverno-test.yaml | 29 ++++ .../test-exceptions/exceptions-1/policy.yaml | 23 +++ .../exceptions-1/resources.yaml | 66 +++++++++ .../exceptions-2/exception.yaml | 21 +++ .../exceptions-2/kyverno-test.yaml | 29 ++++ .../test-exceptions/exceptions-2/policy.yaml | 22 +++ .../exceptions-2/resources.yaml | 140 ++++++++++++++++++ .../exceptions-3/exception.yaml | 20 +++ .../exceptions-3/kyverno-test.yaml | 29 ++++ .../test-exceptions/exceptions-3/policy.yaml | 18 +++ .../exceptions-3/resources.yaml | 46 ++++++ 12 files changed, 464 insertions(+) create mode 100644 test/cli/test-exceptions/exceptions-1/exception.yaml create mode 100644 test/cli/test-exceptions/exceptions-1/kyverno-test.yaml create mode 100644 test/cli/test-exceptions/exceptions-1/policy.yaml create mode 100644 test/cli/test-exceptions/exceptions-1/resources.yaml create mode 100644 test/cli/test-exceptions/exceptions-2/exception.yaml create mode 100644 test/cli/test-exceptions/exceptions-2/kyverno-test.yaml create mode 100644 test/cli/test-exceptions/exceptions-2/policy.yaml create mode 100644 test/cli/test-exceptions/exceptions-2/resources.yaml create mode 100644 test/cli/test-exceptions/exceptions-3/exception.yaml create mode 100644 test/cli/test-exceptions/exceptions-3/kyverno-test.yaml create mode 100644 test/cli/test-exceptions/exceptions-3/policy.yaml create mode 100644 test/cli/test-exceptions/exceptions-3/resources.yaml diff --git a/test/cli/test-exceptions/exceptions-1/exception.yaml b/test/cli/test-exceptions/exceptions-1/exception.yaml new file mode 100644 index 0000000000..cdd54d0130 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-1/exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: delta-exception + namespace: delta +spec: + exceptions: + - policyName: disallow-host-namespaces + ruleNames: + - host-namespaces + - autogen-host-namespaces + match: + any: + - resources: + kinds: + - Pod + - Deployment + namespaces: + - delta + names: + - important-tool* diff --git a/test/cli/test-exceptions/exceptions-1/kyverno-test.yaml b/test/cli/test-exceptions/exceptions-1/kyverno-test.yaml new file mode 100644 index 0000000000..a27939d26d --- /dev/null +++ b/test/cli/test-exceptions/exceptions-1/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +exceptions: +- exception.yaml +kind: Test +metadata: + name: kyverno-test +policies: +- policy.yaml +resources: +- resources.yaml +results: +- kind: Deployment + policy: disallow-host-namespaces + resources: + - bad-deployment + result: fail + rule: autogen-host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - good-deployment + result: pass + rule: autogen-host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - important-tool + result: skip + rule: autogen-host-namespaces diff --git a/test/cli/test-exceptions/exceptions-1/policy.yaml b/test/cli/test-exceptions/exceptions-1/policy.yaml new file mode 100644 index 0000000000..c4ee436ac1 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-1/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Sharing the host namespaces is disallowed. The fields spec.hostNetwork, + spec.hostIPC, and spec.hostPID must be unset or set to `false`. + pattern: + spec: + =(hostPID): "false" + =(hostIPC): "false" + =(hostNetwork): "false" diff --git a/test/cli/test-exceptions/exceptions-1/resources.yaml b/test/cli/test-exceptions/exceptions-1/resources.yaml new file mode 100644 index 0000000000..d416eb55ef --- /dev/null +++ b/test/cli/test-exceptions/exceptions-1/resources.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: important-tool + namespace: delta + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + hostIPC: true + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep", "1d"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + hostIPC: true + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep", "1d"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + hostIPC: false + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep", "1d"] diff --git a/test/cli/test-exceptions/exceptions-2/exception.yaml b/test/cli/test-exceptions/exceptions-2/exception.yaml new file mode 100644 index 0000000000..e7a8ede127 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-2/exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: container-exception +spec: + exceptions: + - policyName: max-containers + ruleNames: + - max-two-containers + - autogen-max-two-containers + match: + any: + - resources: + kinds: + - Pod + - Deployment + conditions: + any: + - key: "{{ request.object.metadata.labels.color || '' }}" + operator: Equals + value: blue diff --git a/test/cli/test-exceptions/exceptions-2/kyverno-test.yaml b/test/cli/test-exceptions/exceptions-2/kyverno-test.yaml new file mode 100644 index 0000000000..e6e2688a67 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-2/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +exceptions: +- exception.yaml +kind: Test +metadata: + name: kyverno-test +policies: +- policy.yaml +resources: +- resources.yaml +results: +- kind: Deployment + policy: max-containers + resources: + - bad-deployment + result: fail + rule: autogen-max-two-containers +- kind: Deployment + policy: max-containers + resources: + - good-deployment + result: pass + rule: autogen-max-two-containers +- kind: Deployment + policy: max-containers + resources: + - excluded-deployment + result: skip + rule: autogen-max-two-containers diff --git a/test/cli/test-exceptions/exceptions-2/policy.yaml b/test/cli/test-exceptions/exceptions-2/policy.yaml new file mode 100644 index 0000000000..2e66ed1429 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-2/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: max-containers +spec: + validationFailureAction: Enforce + background: false + rules: + - name: max-two-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: "A maximum of 2 containers are allowed inside a Pod." + deny: + conditions: + any: + - key: "{{request.object.spec.containers[] | length(@)}}" + operator: GreaterThan + value: "2" diff --git a/test/cli/test-exceptions/exceptions-2/resources.yaml b/test/cli/test-exceptions/exceptions-2/resources.yaml new file mode 100644 index 0000000000..e70d47fd1d --- /dev/null +++ b/test/cli/test-exceptions/exceptions-2/resources.yaml @@ -0,0 +1,140 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: excluded-deployment + labels: + app: my-app + color: blue +spec: + replicas: 3 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + color: blue + spec: + containers: + - name: nginx-container + image: nginx:latest + ports: + - containerPort: 80 + resources: + limits: + cpu: "1" + memory: "256Mi" + requests: + cpu: "0.5" + memory: "128Mi" + - name: redis-container + image: redis:latest + ports: + - containerPort: 6379 + resources: + limits: + cpu: "0.5" + memory: "512Mi" + requests: + cpu: "0.25" + memory: "256Mi" + - name: busybox-container + image: busybox:latest + command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"] + resources: + limits: + cpu: "0.5" + memory: "128Mi" + requests: + cpu: "0.25" + memory: "64Mi" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: my-app +spec: + replicas: 3 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + spec: + containers: + - name: nginx-container + image: nginx:latest + ports: + - containerPort: 80 + resources: + limits: + cpu: "1" + memory: "256Mi" + requests: + cpu: "0.5" + memory: "128Mi" + - name: redis-container + image: redis:latest + ports: + - containerPort: 6379 + resources: + limits: + cpu: "0.5" + memory: "512Mi" + requests: + cpu: "0.25" + memory: "256Mi" + - name: busybox-container + image: busybox:latest + command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"] + resources: + limits: + cpu: "0.5" + memory: "128Mi" + requests: + cpu: "0.25" + memory: "64Mi" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: my-app +spec: + replicas: 3 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + spec: + containers: + - name: nginx-container + image: nginx:latest + ports: + - containerPort: 80 + resources: + limits: + cpu: "1" + memory: "256Mi" + requests: + cpu: "0.5" + memory: "128Mi" + - name: busybox-container + image: busybox:latest + command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"] + resources: + limits: + cpu: "0.5" + memory: "128Mi" + requests: + cpu: "0.25" + memory: "64Mi" diff --git a/test/cli/test-exceptions/exceptions-3/exception.yaml b/test/cli/test-exceptions/exceptions-3/exception.yaml new file mode 100644 index 0000000000..b3c8ee87e5 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-3/exception.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - baseline + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "HostPath Volumes" + restrictedField: "spec.volumes[*].hostPath" + values: + - "path" diff --git a/test/cli/test-exceptions/exceptions-3/kyverno-test.yaml b/test/cli/test-exceptions/exceptions-3/kyverno-test.yaml new file mode 100644 index 0000000000..10faba41a7 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-3/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +exceptions: +- exception.yaml +kind: Test +metadata: + name: kyverno-test +policies: +- policy.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: psa + resources: + - bad-pod + result: fail + rule: baseline +- kind: Pod + policy: psa + resources: + - good-pod + result: pass + rule: baseline +- kind: Pod + policy: psa + resources: + - excluded-pod + result: skip + rule: baseline diff --git a/test/cli/test-exceptions/exceptions-3/policy.yaml b/test/cli/test-exceptions/exceptions-3/policy.yaml new file mode 100644 index 0000000000..863539b590 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-3/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest diff --git a/test/cli/test-exceptions/exceptions-3/resources.yaml b/test/cli/test-exceptions/exceptions-3/resources.yaml new file mode 100644 index 0000000000..2f743f645a --- /dev/null +++ b/test/cli/test-exceptions/exceptions-3/resources.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d +--- +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: staging-ns +spec: + volumes: + - name: host + hostPath: + path: /var/lib1 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d +--- +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + volumes: + - name: host + hostPath: + path: /var/lib1 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d