refactor: add cli fix package (#8400)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-30 19:35:06 +00:00 · 2023-09-14 21:36:32 +02:00 · 2023-09-14 21:36:32 +02:00 · 410f99f624
commit 410f99f624
parent d8186ef4ab
39 changed files with 533 additions and 483 deletions
--- a/cmd/cli/kubectl-kyverno/commands/fix/test/options.go
+++ b/cmd/cli/kubectl-kyverno/commands/fix/test/options.go
@ -6,8 +6,9 @@ import (
 	"io"
 	"os"
 	"path/filepath"
 	"reflect"
-	testapi "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/test"
+	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test"
 	"sigs.k8s.io/yaml"
 )
@ -45,66 +46,24 @@ func (o options) execute(out io.Writer, dirs ...string) error {
 			fmt.Fprintln(out)
 			continue
 		}
-		test := testCase.Test
+		fixed := *testCase.Test
-		needsSave := false
+		if fixed.Name == "" {
 		if test.Name == "" {
 			fmt.Fprintln(out, "  WARNING: name is not set")
-			test.Name = filepath.Base(testCase.Path)
+			fixed.Name = filepath.Base(testCase.Path)
 			needsSave = true
 		}
-		if len(test.Policies) == 0 {
+		fixed, messages, err := fix.FixTest(fixed, o.compress)
-			fmt.Fprintln(out, "  WARNING: test has no policies")
+		for _, warning := range messages {
 			fmt.Fprintln(out, "  WARNING:", warning)
 		}
-		if len(test.Resources) == 0 {
+		if err != nil {
-			fmt.Fprintln(out, "  WARNING: test has no resources")
+			fmt.Fprintln(out, "  ERROR:", err)
-		}
+			continue
 		for i := range test.Results {
 			result := &test.Results[i]
 			if result.Resource != "" && len(result.Resources) != 0 {
 				fmt.Fprintln(out, "  WARNING: test result should not use both `resource` and `resources` fields")
 			}
 			if result.Resource != "" {
 				fmt.Fprintln(out, "  WARNING: test result uses deprecated `resource` field, moving it into the `resources` field")
 				result.Resources = append(result.Resources, result.Resource)
 				result.Resource = ""
 				needsSave = true
 			}
 			if result.Namespace != "" {
 				fmt.Fprintln(out, "  WARNING: test result uses deprecated `namespace` field, replacing `policy` with a `<namespace>/<name>` pattern")
 				result.Policy = fmt.Sprintf("%s/%s", result.Namespace, result.Policy)
 				result.Namespace = ""
 				needsSave = true
 			}
 			if result.Status != "" && result.Result != "" {
 				fmt.Fprintln(out, "  ERROR: test result should not use both `status` and `result` fields")
 			}
 			if result.Status != "" && result.Result == "" {
 				fmt.Fprintln(out, "  WARNING: test result uses deprecated `status` field, moving it into the `result` field")
 				result.Result = result.Status
 				result.Status = ""
 				needsSave = true
 			}
 		}
 		if o.compress {
 			compressed := map[testapi.TestResultBase][]string{}
 			for _, result := range test.Results {
 				compressed[result.TestResultBase] = append(compressed[result.TestResultBase], result.Resources...)
 			}
 			if len(compressed) != len(test.Results) {
 				needsSave = true
 			}
 			test.Results = nil
 			for k, v := range compressed {
 				test.Results = append(test.Results, testapi.TestResult{
 					TestResultBase: k,
 					Resources:      v,
 				})
 			}
 		}
 		needsSave := !reflect.DeepEqual(testCase.Test, &fixed)
 		if o.save && needsSave {
 			fmt.Fprintf(out, "  Saving test file (%s)...", testCase.Path)
 			fmt.Fprintln(out)
-			yamlBytes, err := yaml.Marshal(test)
+			yamlBytes, err := yaml.Marshal(fixed)
 			if err != nil {
 				fmt.Fprintf(out, "    ERROR: converting test to yaml: %s", err)
 				fmt.Fprintln(out)
--- a/cmd/cli/kubectl-kyverno/fix/test.go
+++ b/cmd/cli/kubectl-kyverno/fix/test.go
@ -0,0 +1,101 @@
 package fix
 import (
 	"errors"
 	"fmt"
 	testapi "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/test"
 	"golang.org/x/exp/slices"
 )
 func FixTest(test testapi.Test, compress bool) (testapi.Test, []string, error) {
 	var messages []string
 	if test.Name == "" {
 		messages = append(messages, "name is not set")
 	}
 	if len(test.Policies) == 0 {
 		messages = append(messages, "test has no policies")
 	}
 	if len(test.Resources) == 0 {
 		messages = append(messages, "test has no resources")
 	}
 	var results []testapi.TestResult
 	for _, result := range test.Results {
 		if result.Resource != "" && len(result.Resources) != 0 {
 			messages = append(messages, "test result should not use both `resource` and `resources` fields")
 		}
 		if result.Resource != "" {
 			var resources []string
 			messages = append(messages, "test result uses deprecated `resource` field, moving it into the `resources` field")
 			resources = append(resources, result.Resources...)
 			resources = append(resources, result.Resource)
 			result.Resources = resources
 			result.Resource = ""
 		}
 		if result.Namespace != "" {
 			messages = append(messages, "test result uses deprecated `namespace` field, replacing `policy` with a `<namespace>/<name>` pattern")
 			result.Policy = fmt.Sprintf("%s/%s", result.Namespace, result.Policy)
 			result.Namespace = ""
 		}
 		if result.Status != "" && result.Result != "" {
 			return test, messages, errors.New("test result should not use both `status` and `result` fields")
 		}
 		if result.Status != "" && result.Result == "" {
 			messages = append(messages, "test result uses deprecated `status` field, moving it into the `result` field")
 			result.Result = result.Status
 			result.Status = ""
 		}
 		results = append(results, result)
 	}
 	if compress {
 		compressed := map[testapi.TestResultBase][]string{}
 		for _, result := range results {
 			compressed[result.TestResultBase] = append(compressed[result.TestResultBase], result.Resources...)
 		}
 		results = nil
 		for k, v := range compressed {
 			results = append(results, testapi.TestResult{
 				TestResultBase: k,
 				Resources:      v,
 			})
 		}
 	}
 	slices.SortFunc(results, func(a, b testapi.TestResult) bool {
 		if a.Policy < b.Policy {
 			return true
 		}
 		if a.Rule < b.Rule {
 			return true
 		}
 		if a.Result < b.Result {
 			return true
 		}
 		if a.Kind < b.Kind {
 			return true
 		}
 		if a.PatchedResource < b.PatchedResource {
 			return true
 		}
 		if a.GeneratedResource < b.GeneratedResource {
 			return true
 		}
 		if a.CloneSourceResource < b.CloneSourceResource {
 			return true
 		}
 		slices.Sort(a.Resources)
 		slices.Sort(b.Resources)
 		if len(a.Resources) < len(b.Resources) {
 			return true
 		}
 		if len(a.Resources) == len(b.Resources) {
 			for i := range a.Resources {
 				if a.Resources[i] < b.Resources[i] {
 					return true
 				}
 			}
 		}
 		return false
 	})
 	test.Results = results
 	return test, messages, nil
 }
--- a/test/cli/registry/kyverno-test.yaml
+++ b/test/cli/registry/kyverno-test.yaml
@ -4,6 +4,12 @@ policies:
 resources:
 - resources.yaml
 results:
 - kind: Pod
  policy: check-image-base
  resources:
  - test-pod-with-trusted-registry
  result: pass
  rule: check-image-base-rule
 - kind: Pod
  policy: images
  resources:
@ -11,9 +17,3 @@ results:
  - test-pod-with-trusted-registry
  result: pass
  rule: only-allow-trusted-images
 - kind: Pod
  policy: check-image-base
  resources:
  - test-pod-with-trusted-registry
  result: pass
  rule: check-image-base-rule
--- a/test/cli/scenarios_to_cli/other/scenario_validate_healthChecks/kyverno-test.yaml
+++ b/test/cli/scenarios_to_cli/other/scenario_validate_healthChecks/kyverno-test.yaml
@ -9,10 +9,10 @@ results:
  resources:
  - probe
  result: pass
-  rule: check-readinessProbe-exists
+  rule: check-livenessProbe-exists
 - kind: Pod
  policy: check-probe-exists
  resources:
  - probe
  result: pass
-  rule: check-livenessProbe-exists
+  rule: check-readinessProbe-exists
--- a/test/cli/test-generate/add-quota/kyverno-test.yaml
+++ b/test/cli/test-generate/add-quota/kyverno-test.yaml
@ -4,13 +4,6 @@ policies:
 resources:
 - resource.yaml
 results:
 - generatedResource: generatedResourceQuota.yaml
  kind: Namespace
  policy: add-ns-quota
  resources:
  - hello-world-namespace
  result: pass
  rule: generate-resourcequota
 - generatedResource: generatedLimitRange.yaml
  kind: Namespace
  policy: add-ns-quota
@ -18,3 +11,10 @@ results:
  - hello-world-namespace
  result: pass
  rule: generate-limitrange
 - generatedResource: generatedResourceQuota.yaml
  kind: Namespace
  policy: add-ns-quota
  resources:
  - hello-world-namespace
  result: pass
  rule: generate-resourcequota
--- a/test/cli/test-generate/sync-multiple-resources/kyverno-test.yaml
+++ b/test/cli/test-generate/sync-multiple-resources/kyverno-test.yaml
@ -1,22 +1,22 @@
 name: sync-controller-data
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - deployment.yaml
+- deployment.yaml
 results:
-  - policy: sync-controller-data
+- cloneSourceResource: cm.yaml
-    rule: sync-controller-secret
+  generatedResource: gen-cm.yaml
-    resources:
+  kind: Deployment
-      - kubernetes-cluster-controller
+  policy: sync-controller-data
-    generatedResource: gen-secret.yaml
+  resources:
-    cloneSourceResource: secret.yaml
+  - kubernetes-cluster-controller
-    kind: Deployment
+  result: pass
-    result: pass
+  rule: sync-controller-configmap
-  - policy: sync-controller-data
+- cloneSourceResource: secret.yaml
-    rule: sync-controller-configmap
+  generatedResource: gen-secret.yaml
-    resources: 
+  kind: Deployment
-      - kubernetes-cluster-controller
+  policy: sync-controller-data
-    generatedResource: gen-cm.yaml
+  resources:
-    cloneSourceResource: cm.yaml
+  - kubernetes-cluster-controller
-    kind: Deployment
+  result: pass
-    result: pass
+  rule: sync-controller-secret
--- a/test/cli/test-mutate/add-default-resources/kyverno-test.yaml
+++ b/test/cli/test-mutate/add-default-resources/kyverno-test.yaml
@ -11,13 +11,6 @@ results:
  - nginx-demo1
  result: pass
  rule: add-default-requests
 - kind: Pod
  patchedResource: patchedResource2.yaml
  policy: add-default-resources
  resources:
  - nginx-demo2
  result: skip
  rule: add-default-requests
 - kind: Pod
  patchedResource: patchedResource3.yaml
  policy: add-default-resources
@ -25,3 +18,10 @@ results:
  - nginx-demo3
  result: pass
  rule: add-default-requests
 - kind: Pod
  patchedResource: patchedResource2.yaml
  policy: add-default-resources
  resources:
  - nginx-demo2
  result: skip
  rule: add-default-requests
--- a/test/cli/test-mutate/connection-draining/kyverno-test.yaml
+++ b/test/cli/test-mutate/connection-draining/kyverno-test.yaml
@ -4,12 +4,6 @@ policies:
 resources:
 - resource.yaml
 results:
 - kind: Service
  policy: disable-connection-draining
  resources:
  - nlb-aws-controller-no-attributes
  result: skip
  rule: clb
 - kind: Service
  patchedResource: patched.yaml
  policy: disable-connection-draining
@ -17,3 +11,9 @@ results:
  - nlb-aws-controller-no-attributes
  result: pass
  rule: nlb-no-attributes
 - kind: Service
  policy: disable-connection-draining
  resources:
  - nlb-aws-controller-no-attributes
  result: skip
  rule: clb
--- a/test/cli/test-mutate/foreach/kyverno-test.yaml
+++ b/test/cli/test-mutate/foreach/kyverno-test.yaml
@ -4,13 +4,6 @@ policies:
 resources:
 - resources.yaml
 results:
 - kind: Pod
  patchedResource: patched-resource.yaml
  policy: foreach-json-patch
  resources:
  - nginx
  result: pass
  rule: add-security-context
 - kind: Pod
  patchedResource: pod-updated-image.yaml
  policy: mutate-images
@ -18,4 +11,11 @@ results:
  - mypod
  result: pass
  rule: test
 - kind: Pod
  patchedResource: patched-resource.yaml
  policy: foreach-json-patch
  resources:
  - nginx
  result: pass
  rule: add-security-context
 variables: values.yaml
--- a/test/cli/test-mutate/karpenter-annotations-to-nodeselector/kyverno-test.yaml
+++ b/test/cli/test-mutate/karpenter-annotations-to-nodeselector/kyverno-test.yaml
@ -4,6 +4,12 @@ policies:
 resources:
 - resource.yaml
 results:
 - kind: Pod
  policy: karpenter-annotations-to-nodeselector
  resources:
  - soft-pod-antiaffinity-1-copy
  result: pass
  rule: hard-nodeselector-lifecycle-on-demand
 - kind: Pod
  patchedResource: patched.yaml
  policy: karpenter-annotations-to-nodeselector
@ -11,9 +17,3 @@ results:
  - soft-pod-antiaffinity-1
  result: pass
  rule: hard-nodeselector-lifecycle-on-demand
 - kind: Pod
  policy: karpenter-annotations-to-nodeselector
  resources:
  - soft-pod-antiaffinity-1-copy
  result: pass
  rule: hard-nodeselector-lifecycle-on-demand
--- a/test/cli/test-mutate/kyverno-test.yaml
+++ b/test/cli/test-mutate/kyverno-test.yaml
@ -5,12 +5,26 @@ resources:
 - resource.yaml
 results:
 - kind: Pod
-  patchedResource: patchedResource3.yaml
+  patchedResource: patchedResource2.yaml
  policy: add-label
  resources:
-  - production/same-name-but-diff-namespace
+  - testing/same-name-but-diff-namespace
  result: pass
  rule: add-label
 - kind: Pod
  patchedResource: patchedResource1.yaml
  policy: add-label
  resources:
  - practice/resource-equal-to-patch-res-for-cp
  result: skip
  rule: add-label
 - kind: Pod
  patchedResource: patched-resource.yaml
  policy: example
  resources:
  - example
  result: pass
  rule: object_from_lists
 - kind: Deployment
  patchedResource: patchedResource4.yaml
  policy: add-label
@ -18,6 +32,13 @@ results:
  - mydeploy
  result: pass
  rule: add-label
 - kind: Pod
  patchedResource: patchedResource3.yaml
  policy: add-label
  resources:
  - production/same-name-but-diff-namespace
  result: pass
  rule: add-label
 - kind: Pod
  patchedResource: patchedResource6.yaml
  policy: add-label
@ -32,24 +53,3 @@ results:
  - same-name-but-diff-namespace
  result: pass
  rule: add-ndots
 - kind: Pod
  patchedResource: patched-resource.yaml
  policy: example
  resources:
  - example
  result: pass
  rule: object_from_lists
 - kind: Pod
  patchedResource: patchedResource1.yaml
  policy: add-label
  resources:
  - practice/resource-equal-to-patch-res-for-cp
  result: skip
  rule: add-label
 - kind: Pod
  patchedResource: patchedResource2.yaml
  policy: add-label
  resources:
  - testing/same-name-but-diff-namespace
  result: pass
  rule: add-label
--- a/test/cli/test/anypattern_skip_error/kyverno-test.yaml
+++ b/test/cli/test/anypattern_skip_error/kyverno-test.yaml
@ -7,9 +7,8 @@ results:
 - kind: Service
  policy: validate-service-loadbalancer
  resources:
-  - service-public-pass
+  - service-clusterip-skip
-  - service-public-2-pass
+  result: skip
  result: pass
  rule: check-loadbalancer-public
 - kind: Service
  policy: validate-service-loadbalancer
@ -20,6 +19,7 @@ results:
 - kind: Service
  policy: validate-service-loadbalancer
  resources:
-  - service-clusterip-skip
+  - service-public-2-pass
-  result: skip
+  - service-public-pass
  result: pass
  rule: check-loadbalancer-public
--- a/test/cli/test/autogen-values/kyverno-test.yaml
+++ b/test/cli/test/autogen-values/kyverno-test.yaml
@ -1,19 +1,19 @@
 name: test
 policies:
-  - policy.yaml
+- policy.yaml
 variables: values.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: test-policy
+- kind: Deployment
-    rule: test-rule
+  policy: test-policy
-    resources:
+  resources:
-    - pod
+  - deployment
-    kind: Pod
+  result: pass
-    result: pass
+  rule: test-rule
-  - policy: test-policy
+- kind: Pod
-    rule: test-rule
+  policy: test-policy
-    resources:
+  resources:
-    - deployment
+  - pod
-    kind: Deployment
+  result: pass
-    result: pass
+  rule: test-rule
 variables: values.yaml
--- a/test/cli/test/autogen/kyverno-test.yaml
+++ b/test/cli/test/autogen/kyverno-test.yaml
@ -4,51 +4,51 @@ policies:
 resources:
 - resources.yaml
 results:
 - kind: Pod
  policy: require-common-labels
  resources:
  - pod-with-labels
  result: pass
  rule: check-for-labels
 - kind: Pod
  policy: require-common-labels
  resources:
  - pod-missing-labels
  result: fail
  rule: check-for-labels
 - kind: Deployment
  policy: require-common-labels
  resources:
  - deployment-with-labels
  result: pass
  rule: check-for-labels
 - kind: Deployment
  policy: require-common-labels
  resources:
  - deployment-missing-labels
  result: fail
  rule: check-for-labels
 - kind: StatefulSet
  policy: require-common-labels
  resources:
  - StatefulSet-with-labels
  result: pass
  rule: check-for-labels
 - kind: StatefulSet
  policy: require-common-labels
  resources:
  - StatefulSet-without-labels
  result: fail
  rule: check-for-labels
 - kind: CronJob
  policy: require-common-labels
  resources:
  - cronjob-with-labels
  result: pass
  rule: check-for-labels
 - kind: CronJob
  policy: require-common-labels
  resources:
  - cronjob-without-labels
  result: fail
  rule: check-for-labels
 - kind: Deployment
  policy: require-common-labels
  resources:
  - deployment-missing-labels
  result: fail
  rule: check-for-labels
 - kind: Pod
  policy: require-common-labels
  resources:
  - pod-missing-labels
  result: fail
  rule: check-for-labels
 - kind: CronJob
  policy: require-common-labels
  resources:
  - cronjob-with-labels
  result: pass
  rule: check-for-labels
 - kind: Deployment
  policy: require-common-labels
  resources:
  - deployment-with-labels
  result: pass
  rule: check-for-labels
 - kind: Pod
  policy: require-common-labels
  resources:
  - pod-with-labels
  result: pass
  rule: check-for-labels
 - kind: StatefulSet
  policy: require-common-labels
  resources:
  - StatefulSet-without-labels
  result: fail
  rule: check-for-labels
--- a/test/cli/test/context-entries/kyverno-test.yaml
+++ b/test/cli/test/context-entries/kyverno-test.yaml
@ -4,12 +4,6 @@ policies:
 resources:
 - resources.yaml
 results:
 - kind: Pod
  policy: example
  resources:
  - example
  result: pass
  rule: defined-value
 - kind: Pod
  policy: example
  resources:
@ -27,13 +21,13 @@ results:
  resources:
  - example
  result: pass
-  rule: defined-value-with-variable
+  rule: defined-jmespath-with-default-variable
 - kind: Pod
  policy: example
  resources:
  - example
  result: pass
-  rule: defined-jmespath-with-default-variable
+  rule: defined-value
 - kind: Pod
  policy: example
  resources:
@ -51,13 +45,7 @@ results:
  resources:
  - example
  result: pass
-  rule: value-override
+  rule: defined-value-with-variable
 - kind: Pod
  policy: example
  resources:
  - example
  result: pass
  rule: wildcard-match
 - kind: Pod
  policy: example
  resources:
@ -70,3 +58,15 @@ results:
  - example
  result: pass
  rule: unused-var
 - kind: Pod
  policy: example
  resources:
  - example
  result: pass
  rule: value-override
 - kind: Pod
  policy: example
  resources:
  - example
  result: pass
  rule: wildcard-match
--- a/test/cli/test/context-foreach/kyverno-test.yaml
+++ b/test/cli/test/context-foreach/kyverno-test.yaml
@ -7,13 +7,13 @@ results:
 - kind: Pod
  policy: block-images
  resources:
-  - good-pod
+  - bad-pod
-  result: pass
+  result: fail
  rule: block-images
 - kind: Pod
  policy: block-images
  resources:
-  - bad-pod
+  - good-pod
-  result: fail
+  result: pass
  rule: block-images
 variables: values.yaml
--- a/test/cli/test/custom-functions/kyverno-test.yaml
+++ b/test/cli/test/custom-functions/kyverno-test.yaml
@ -4,54 +4,30 @@ policies:
 resources:
 - resources.yaml
 results:
 - kind: Secret
  policy: base64
  resources:
  - base64-test-match
  result: pass
  rule: secret-value-must-match-label
 - kind: Secret
  policy: base64
  resources:
  - base64-test-no-match
  result: fail
  rule: secret-value-must-match-label
 - kind: Namespace
  policy: pattern-match
  resources:
  - pattern-match-test-match
  result: pass
  rule: label-must-match-pattern
 - kind: Namespace
  policy: pattern-match
  resources:
  - pattern-match-test-no-match
  result: fail
  rule: label-must-match-pattern
 - kind: Pod
  policy: path-canonicalize
  resources:
  - mount-containerd-sock
  result: fail
  rule: disallow-mount-containerd-sock
- kind: ConfigMap
+- kind: Secret
-  policy: test-parse-json
+  policy: base64
  resources:
-  - valid-test
+  - base64-test-no-match
  result: fail
  rule: secret-value-must-match-label
 - kind: Secret
  policy: base64
  resources:
  - base64-test-match
  result: pass
-  rule: test-json-parsing-jmespath
+  rule: secret-value-must-match-label
 - kind: ConfigMap
  policy: test-parse-json
  resources:
  - invalid-test
  result: fail
  rule: test-json-parsing-jmespath
 - kind: ConfigMap
  policy: test-parse-yaml
  resources:
  - valid-yaml-test
  result: pass
  rule: test-yaml-parsing-jmespath
 - kind: ConfigMap
  policy: test-parse-yaml
  resources:
@ -59,7 +35,13 @@ results:
  result: fail
  rule: test-yaml-parsing-jmespath
 - kind: ConfigMap
-  policy: test-parse-yaml-array
+  policy: test-parse-json
  resources:
  - valid-test
  result: pass
  rule: test-json-parsing-jmespath
 - kind: ConfigMap
  policy: test-parse-yaml
  resources:
  - valid-yaml-test
  result: pass
@ -76,3 +58,21 @@ results:
  - test-x509-configmap
  result: fail
  rule: test-x509-decode
 - kind: ConfigMap
  policy: test-parse-yaml-array
  resources:
  - valid-yaml-test
  result: pass
  rule: test-yaml-parsing-jmespath
 - kind: Namespace
  policy: pattern-match
  resources:
  - pattern-match-test-no-match
  result: fail
  rule: label-must-match-pattern
 - kind: Namespace
  policy: pattern-match
  resources:
  - pattern-match-test-match
  result: pass
  rule: label-must-match-pattern
--- a/test/cli/test/deny-modify-platform-label-2/kyverno-test.yaml
+++ b/test/cli/test/deny-modify-platform-label-2/kyverno-test.yaml
@ -13,8 +13,8 @@ results:
 - kind: Role
  policy: deny-modify-platform-label
  resources:
  - my-role-without-platform
  - my-role-with-platform-false
  - my-role-without-platform
  result: skip
  rule: deny-modify-platform-role
 variables: variables.yaml
--- a/test/cli/test/disallow-service/kyverno-test.yaml
+++ b/test/cli/test/disallow-service/kyverno-test.yaml
@ -1,16 +1,18 @@
 name: disallow-service
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: disallow-service
+- kind: Service
-    rule: disallow-service
+  policy: disallow-service
-    resources: [svc1]
+  resources:
-    kind: Service
+  - svc2
-    result: skip
+  result: fail
-  - policy: disallow-service
+  rule: disallow-service
-    rule: disallow-service
+- kind: Service
-    resources: [svc2]
+  policy: disallow-service
-    kind: Service
+  resources:
-    result: fail
+  - svc1
  result: skip
  rule: disallow-service
--- a/test/cli/test/foreach/kyverno-test.yaml
+++ b/test/cli/test/foreach/kyverno-test.yaml
@ -5,17 +5,23 @@ resources:
 - resources.yaml
 results:
 - kind: Pod
-  policy: validate-empty-dir-mountpath
+  policy: validate-image-list
  resources:
  - test-pod
-  - test-pod2
+  - test-pod-ghcr
-  result: pass
+  result: fail
-  rule: check-mount-paths
+  rule: check-image
 - kind: Pod
  policy: validate-empty-dir-resources
  resources:
  - test-pod-with-gke-vol
  result: skip
  rule: check-resources
 - kind: Pod
  policy: validate-empty-dir-resources
  resources:
  - test-pod-bad-mount
  - test-pod
  - test-pod-bad-mount
  result: fail
  rule: check-resources
 - kind: Pod
@ -26,18 +32,12 @@ results:
  result: pass
  rule: check-resources
 - kind: Pod
-  policy: validate-empty-dir-resources
+  policy: validate-empty-dir-mountpath
  resources:
  - test-pod-with-gke-vol
  result: skip
  rule: check-resources
 - kind: Pod
  policy: validate-image-list
  resources:
  - test-pod
-  - test-pod-ghcr
+  - test-pod2
-  result: fail
+  result: pass
-  rule: check-image
+  rule: check-mount-paths
 - kind: Pod
  policy: validate-image-list-error
  resources:
--- a/test/cli/test/images/signatures/kyverno-test.yaml
+++ b/test/cli/test/images/signatures/kyverno-test.yaml
@ -7,12 +7,12 @@ results:
 - kind: Pod
  policy: verify-signature
  resources:
-  - signed
+  - unsigned
-  result: pass
+  result: fail
  rule: check-static-key
 - kind: Pod
  policy: verify-signature
  resources:
-  - unsigned
+  - signed
-  result: fail
+  result: pass
  rule: check-static-key
--- a/test/cli/test/images/verify-signature/kyverno-test.yaml
+++ b/test/cli/test/images/verify-signature/kyverno-test.yaml
@ -10,10 +10,10 @@ results:
  - signed
  result: pass
  rule: verify-signature
- kind: Pod
+- kind: DataVolume
-  policy: check-image
+  policy: check-data-volume-image
  resources:
-  - unsigned
+  - unsigned-registry-image-datavolume
  result: fail
  rule: verify-signature
 - kind: DataVolume
@ -22,9 +22,9 @@ results:
  - signed-registry-image-datavolume
  result: pass
  rule: verify-signature
- kind: DataVolume
+- kind: Pod
-  policy: check-data-volume-image
+  policy: check-image
  resources:
-  - unsigned-registry-image-datavolume
+  - unsigned
  result: fail
  rule: verify-signature
--- a/test/cli/test/jmespath-brackets/kyverno-test.yaml
+++ b/test/cli/test/jmespath-brackets/kyverno-test.yaml
@ -4,20 +4,6 @@ policies:
 resources:
 - resources.yaml
 results:
 - kind: Pod
  policy: default/test-jmespath
  resources:
  - test-valid1
  - test-valid2
  - test-valid3
  result: pass
  rule: test-jmespath
 - kind: Pod
  policy: default/test-jmespath
  resources:
  - test-invalid
  result: fail
  rule: test-jmespath
 - kind: Namespace
  policy: namespace-validation
  resources:
@ -30,3 +16,17 @@ results:
  - test-valid
  result: pass
  rule: namespace-validation
 - kind: Pod
  policy: default/test-jmespath
  resources:
  - test-invalid
  result: fail
  rule: test-jmespath
 - kind: Pod
  policy: default/test-jmespath
  resources:
  - test-valid1
  - test-valid2
  - test-valid3
  result: pass
  rule: test-jmespath
--- a/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml
+++ b/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml
@ -7,13 +7,13 @@ results:
 - kind: ConfigMap
  policy: limit-configmap-for-sa
  resources:
-  - any-namespace/any-configmap-name-good
+  - any-namespace/any-configmap-name-bad
-  result: fail
+  result: skip
  rule: limit-configmap-for-sa-developer
 - kind: ConfigMap
  policy: limit-configmap-for-sa
  resources:
-  - any-namespace/any-configmap-name-bad
+  - any-namespace/any-configmap-name-good
-  result: skip
+  result: fail
  rule: limit-configmap-for-sa-developer
 variables: variables.yaml
--- a/test/cli/test/mixed/kyverno-test.yaml
+++ b/test/cli/test/mixed/kyverno-test.yaml
@ -10,6 +10,12 @@ results:
  - user-foo/nodeselector-without-labels-on-mutation
  result: fail
  rule: ondemand-managed_by
 - kind: Pod
  policy: ondemand
  resources:
  - user-space/nodeselector-with-labels-on-mutation
  result: pass
  rule: ondemand-managed_by
 - kind: Pod
  patchedResource: patched-resource.yaml
  policy: ondemand
@ -17,9 +23,3 @@ results:
  - user-space/nodeselector-with-labels-on-mutation
  result: pass
  rule: ondemand-nodeselector
 - kind: Pod
  policy: ondemand
  resources:
  - user-space/nodeselector-with-labels-on-mutation
  result: pass
  rule: ondemand-managed_by
--- a/test/cli/test/multiple_condition_keys/kyverno-test.yaml
+++ b/test/cli/test/multiple_condition_keys/kyverno-test.yaml
@ -7,12 +7,12 @@ results:
 - kind: Pod
  policy: test-multiple-key
  resources:
-  - test-resource-pass
+  - test-resource-fail
-  result: pass
+  result: fail
  rule: test-multiple-key
 - kind: Pod
  policy: test-multiple-key
  resources:
-  - test-resource-fail
+  - test-resource-pass
-  result: fail
+  result: pass
  rule: test-multiple-key
--- a/test/cli/test/mutate-keda-scaled-object/kyverno-test.yaml
+++ b/test/cli/test/mutate-keda-scaled-object/kyverno-test.yaml
@ -1,23 +1,26 @@
 name: mutate-keda-scaled-object
 policies:
-  -  policy.yaml
+- policy.yaml
 resources:
-  -  resources.yaml
+- resources.yaml
 results:
-  - policy: keda-prometheus-serveraddress
+- kind: ScaledObject
-    rule: keda-prometheus-serveraddress
+  patchedResource: patchedResource1.yaml
-    resources: [service-1]
+  policy: keda-prometheus-serveraddress
-    patchedResource: patchedResource1.yaml
+  resources:
-    kind: ScaledObject
+  - service-1
-    result: pass
+  result: pass
-  - policy: keda-prometheus-serveraddress
+  rule: keda-prometheus-serveraddress
-    rule: keda-prometheus-serveraddress
+- kind: ScaledObject
-    resources: [service-2]
+  policy: keda-prometheus-serveraddress
-    patchedResource: patchedResource2.yaml
+  resources:
-    kind: ScaledObject
+  - service-3
-    result: pass
+  result: skip
-  - policy: keda-prometheus-serveraddress
+  rule: keda-prometheus-serveraddress
-    rule: keda-prometheus-serveraddress
+- kind: ScaledObject
-    resources: [service-3]
+  patchedResource: patchedResource2.yaml
-    kind: ScaledObject
+  policy: keda-prometheus-serveraddress
-    result: skip
+  resources:
  - service-2
  result: pass
  rule: keda-prometheus-serveraddress
--- a/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/kyverno-test.yaml
+++ b/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/kyverno-test.yaml
@ -7,13 +7,13 @@ results:
 - kind: Pod
  policy: exclude-namespaces-example
  resources:
-  - bad-pod01
+  - bad-pod02
-  result: pass
+  result: error
  rule: exclude-namespaces-dynamically
 - kind: Pod
  policy: exclude-namespaces-example
  resources:
-  - bad-pod02
+  - bad-pod01
-  result: error
+  result: pass
  rule: exclude-namespaces-dynamically
 variables: values.yaml
--- a/test/cli/test/nil-values-in-variables/limit-duration/kyverno-test.yaml
+++ b/test/cli/test/nil-values-in-variables/limit-duration/kyverno-test.yaml
@ -7,12 +7,12 @@ results:
 - kind: Certificate
  policy: cert-manager-limit-duration
  resources:
-  - letsencrypt-crt
+  - acme-crt
-  result: skip
+  result: error
  rule: certificate-duration-max-100days
 - kind: Certificate
  policy: cert-manager-limit-duration
  resources:
-  - acme-crt
+  - letsencrypt-crt
-  result: error
+  result: skip
  rule: certificate-duration-max-100days
--- a/test/cli/test/policy-reports-skip-validation/kyverno-test.yaml
+++ b/test/cli/test/policy-reports-skip-validation/kyverno-test.yaml
@ -7,13 +7,13 @@ results:
 - kind: Pod
  policy: disallow-naked-pods
  resources:
-  - blank-skip
+  - blank-fail
-  result: skip
+  result: fail
  rule: validate-naked-pods
 - kind: Pod
  policy: disallow-naked-pods
  resources:
-  - blank-fail
+  - blank-skip
-  result: fail
+  result: skip
  rule: validate-naked-pods
 variables: values.yaml
--- a/test/cli/test/preconditions/kyverno-test.yaml
+++ b/test/cli/test/preconditions/kyverno-test.yaml
@ -7,12 +7,12 @@ results:
 - kind: Pod
  policy: preconditions
  resources:
-  - test-valid
+  - test-invalid
-  result: pass
+  result: fail
  rule: any-rule
 - kind: Pod
  policy: preconditions
  resources:
-  - test-invalid
+  - test-valid
-  result: fail
+  result: pass
  rule: any-rule
--- a/test/cli/test/resource_lists/kyverno-test.yaml
+++ b/test/cli/test/resource_lists/kyverno-test.yaml
@ -1,19 +1,19 @@
 name: resource-lists
 policies:
-  -  policy.yaml
+- policy.yaml
 resources:
-  -  resource.yaml
+- resource.yaml
 results:
-  - policy: resource-lists
+- kind: Pod
-    rule: require-image-tag
+  policy: resource-lists
-    resources: 
+  resources:
-    - myapp-pod1
+  - myapp-pod3
-    - myapp-pod2
+  result: pass
-    kind: Pod
+  rule: validate-image-tag
-    result: pass
+- kind: Pod
-  - policy: resource-lists
+  policy: resource-lists
-    rule: validate-image-tag
+  resources:
-    resources: 
+  - myapp-pod1
-    - myapp-pod3
+  - myapp-pod2
-    kind: Pod
+  result: pass
-    result: pass 
+  rule: require-image-tag
--- a/test/cli/test/restrict-something/kyverno-test.yaml
+++ b/test/cli/test/restrict-something/kyverno-test.yaml
@ -1,19 +1,18 @@
 # Taken from https://github.com/kyverno/kyverno/issues/6463
 name: repro-dups-bug
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: restrict-something
+- kind: Pod
-    rule: validate-some-foo
+  policy: restrict-something
-    resources:
+  resources:
-    - nginx-foo
+  - nginx-too
-    kind: Pod
+  result: fail
-    result: pass
+  rule: validate-some-non-foo
-  - policy: restrict-something
+- kind: Pod
-    rule: validate-some-non-foo
+  policy: restrict-something
-    resources:
+  resources:
-    - nginx-too
+  - nginx-foo
-    kind: Pod
+  result: pass
-    result: fail
+  rule: validate-some-foo
--- a/test/cli/test/restrict_ingress_host/kyverno-test.yaml
+++ b/test/cli/test/restrict_ingress_host/kyverno-test.yaml
@ -4,12 +4,6 @@ policies:
 resources:
 - resource.yaml
 results:
 - kind: Ingress
  policy: unique-ingress-host
  resources:
  - ingress-kyverno-host
  result: fail
  rule: check-single-host
 - kind: Ingress
  policy: unique-ingress-host
  resources:
@ -20,12 +14,18 @@ results:
  policy: unique-ingress-host
  resources:
  - ingress-kyverno-host
-  result: skip
+  result: fail
  rule: check-single-host
 - kind: Ingress
  policy: unique-ingress-host
  resources:
  - ingress-foo-host
  result: fail
  rule: deny-multiple-hosts
 - kind: Ingress
  policy: unique-ingress-host
  resources:
-  - ingress-foo-host
+  - ingress-kyverno-host
-  result: fail
+  result: skip
  rule: deny-multiple-hosts
 variables: values.yaml
--- a/test/cli/test/secret/kyverno-test.yaml
+++ b/test/cli/test/secret/kyverno-test.yaml
@ -4,13 +4,6 @@ policies:
 resources:
 - resources.yaml
 results:
 - kind: Secret
  patchedResource: patched-resource.yaml
  policy: add-maintainer
  resources:
  - example
  result: pass
  rule: add-maintainer
 - kind: Secret
  patchedResource: patched-resource1.yaml
  policy: add-maintainer
@ -18,3 +11,10 @@ results:
  - secrete-fail-example
  result: fail
  rule: add-maintainer
 - kind: Secret
  patchedResource: patched-resource.yaml
  policy: add-maintainer
  resources:
  - example
  result: pass
  rule: add-maintainer
--- a/test/cli/test/simple/kyverno-test.yaml
+++ b/test/cli/test/simple/kyverno-test.yaml
@ -7,27 +7,9 @@ results:
 - kind: Pod
  policy: disallow-latest-tag
  resources:
-  - test/test-validate-image-tag-fail
+  - test/test-require-image-tag-fail
  result: fail
-  rule: validate-image-tag
+  rule: require-image-tag
 - kind: Pod
  policy: duration-test
  resources:
  - test/test-lifetime-fail
  result: fail
  rule: greater-than
 - kind: Pod
  policy: disallow-latest-tag
  resources:
  - test/test-validate-image-tag-pass
  result: pass
  rule: validate-image-tag
 - kind: Pod
  policy: duration-test
  resources:
  - test/test-lifetime-fail
  result: pass
  rule: less-equal-than
 - kind: Pod
  policy: disallow-latest-tag
  resources:
@ -37,30 +19,48 @@ results:
 - kind: Pod
  policy: disallow-latest-tag
  resources:
-  - test/test-require-image-tag-fail
+  - test/test-validate-image-tag-fail
  result: fail
-  rule: require-image-tag
+  rule: validate-image-tag
 - kind: Pod
-  policy: duration-test
+  policy: disallow-latest-tag
  resources:
-  - test/test-lifetime-fail
+  - test/test-validate-image-tag-pass
  result: pass
-  rule: less-than
+  rule: validate-image-tag
 - kind: Pod
  policy: duration-test
  resources:
  - test/test-lifetime-fail
  result: fail
  rule: greater-equal-than
 - kind: Pod
  policy: duration-test
  resources:
  - test/test-lifetime-fail
  result: fail
  rule: greater-than
 - kind: Pod
  policy: restrict-pod-counts
  resources:
  - myapp-pod
  - test-validate-image-tag-ignore
  - test/test-require-image-tag-pass
  - test/test-require-image-tag-fail
  - test/test-require-image-tag-pass
  - test/test-validate-image-tag-fail
  - test/test-validate-image-tag-pass
  result: fail
  rule: restrict-pod-count
 - kind: Pod
  policy: duration-test
  resources:
  - test/test-lifetime-fail
  result: pass
  rule: less-equal-than
 - kind: Pod
  policy: duration-test
  resources:
  - test/test-lifetime-fail
  result: pass
  rule: less-than
 variables: values.yaml
--- a/test/cli/test/validating-admission-policies/disallow-host-path/kyverno-test.yaml
+++ b/test/cli/test/validating-admission-policies/disallow-host-path/kyverno-test.yaml
@ -8,11 +8,11 @@ results:
  kind: Deployment
  policy: disallow-host-path
  resources:
-  - deployment-pass
+  - deployment-fail
-  result: pass
+  result: fail
 - isValidatingAdmissionPolicy: true
  kind: Deployment
  policy: disallow-host-path
  resources:
-  - deployment-fail
+  - deployment-pass
-  result: fail
+  result: pass
--- a/test/cli/test/variables/kyverno-test.yaml
+++ b/test/cli/test/variables/kyverno-test.yaml
@ -10,30 +10,17 @@ resources:
 - resources.yaml
 results:
 - kind: Pod
-  policy: images
+  policy: cm-multiple-example
  resources:
  - test-pod-with-non-root-user-image
  - test-pod-with-trusted-registry
  result: pass
  rule: only-allow-trusted-images
 - kind: Pod
  policy: cm-variable-example
  resources:
  - test-env-test
  result: pass
  rule: example-configmap-lookup
 - kind: Pod
  policy: cm-variable-example
  resources:
  - test-env-dev
  result: fail
  rule: example-configmap-lookup
 - kind: Pod
-  policy: cm-array-example
+  policy: cm-multiple-example
  resources:
-  - test-web
+  - test-env-test
-  result: fail
+  result: pass
-  rule: validate-role-annotation
+  rule: example-configmap-lookup
 - kind: Pod
  policy: cm-array-example
  resources:
@ -43,32 +30,20 @@ results:
 - kind: Pod
  policy: cm-blk-scalar-example
  resources:
-  - test-blk-app
+  - test-blk-web
-  result: pass
+  result: fail
  rule: validate-blk-role-annotation
 - kind: Pod
-  policy: images
+  policy: cm-globalval-example
  resources:
-  - test-pod-with-non-trusted-registry
+  - test-global-prod
  result: fail
-  rule: only-allow-trusted-images
+  rule: validate-mode
 - kind: Pod
  policy: cm-multiple-example
  resources:
  - test-env-test
  result: pass
  rule: example-configmap-lookup
 - kind: Pod
  policy: cm-multiple-example
  resources:
  - test-env-dev
  result: fail
  rule: example-configmap-lookup
 - kind: Pod
  policy: cm-blk-scalar-example
  resources:
-  - test-blk-web
+  - test-blk-app
-  result: fail
+  result: pass
  rule: validate-blk-role-annotation
 - kind: Pod
  policy: cm-globalval-example
@ -77,9 +52,34 @@ results:
  result: pass
  rule: validate-mode
 - kind: Pod
-  policy: cm-globalval-example
+  policy: cm-array-example
  resources:
-  - test-global-prod
+  - test-web
  result: fail
-  rule: validate-mode
+  rule: validate-role-annotation
 - kind: Pod
  policy: cm-variable-example
  resources:
  - test-env-dev
  result: fail
  rule: example-configmap-lookup
 - kind: Pod
  policy: images
  resources:
  - test-pod-with-non-trusted-registry
  result: fail
  rule: only-allow-trusted-images
 - kind: Pod
  policy: cm-variable-example
  resources:
  - test-env-test
  result: pass
  rule: example-configmap-lookup
 - kind: Pod
  policy: images
  resources:
  - test-pod-with-non-root-user-image
  - test-pod-with-trusted-registry
  result: pass
  rule: only-allow-trusted-images
 variables: variables.yaml
--- a/test/cli/test/wildcard_match_label_selector/kyverno-test.yaml
+++ b/test/cli/test/wildcard_match_label_selector/kyverno-test.yaml
@ -4,35 +4,21 @@ policies:
 resources:
 - resources.yaml
 results:
 - kind: Pod
  policy: wildcard-support-in-matchlabels
  resources:
  - my-service-1
  result: pass
  rule: wildcard-label
 - kind: Pod
  policy: wildcard-support-in-matchlabels
  resources:
  - my-service-2
  result: pass
  rule: label-end-with-test
 # TODO CEB FIX
 # - kind: Pod
 #   policy: wildcard-support-in-matchlabels
 #   resources:
 #   - my-service-3
 #   result: skip
 #   rule: label-end-with-test
 - kind: Pod
  policy: wildcard-support-in-matchlabels
  resources:
  - my-service-4
  result: pass
  rule: label-start-with-test
-# TODO CEB FIX
+- kind: Pod
-# - kind: Pod
+  policy: wildcard-support-in-matchlabels
-#   policy: wildcard-support-in-matchlabels
+  resources:
-#   resources:
+  - my-service-1
-#   - my-service-5
+  result: pass
-#   result: skip
+  rule: wildcard-label
 #   rule: label-start-with-test