test: add cleanup v2 chainsaw tests (#10476)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

test/conformance/chainsaw/cleanup/v2/clusterpolicy/cleanup-pod/policy.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: cleanup-pod
+spec:
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+  conditions:
+    all:
+      - key: "{{ target.metadata.name }}"
+        operator: Equals
+        value: example
+      - key: "{{ target.metadata.namespace }}"
+        operator: Equals
+        value: default
+  ## execute every minute
+  schedule: "*/1 * * * *"

test/conformance/chainsaw/cleanup/v2/clusterpolicy/context-cleanup-pod/policy.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: cleanup-pod
+spec:
+  context:
+    - name: varNamespace
+      apiCall:
+        urlPath: "/api/v1/namespaces/default"
+        jmesPath: metadata.name
+    - name: varname
+      variable:
+        value: "example"
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+  conditions:
+    all:
+      - key: "{{ target.metadata.name }}"
+        operator: Equals
+        value: "{{ varname }}"
+      - key: "{{ target.metadata.namespace }}"
+        operator: Equals
+        value: "{{ varNamespace }}"
+  ## execute every minute
+  schedule: "*/1 * * * *"

test/conformance/chainsaw/cleanup/v2/policy/cleanup-pod/policy.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v2
+kind: CleanupPolicy
+metadata:
+  name: cleanup-pod
+  namespace: default
+spec:
+  match:
+    any:
+    - resources:
+        kinds:
+          - Pod
+  conditions:
+    any:
+    - key: "{{ target.metadata.name }}"
+      operator: Equals
+      value: example
+  ## execute every minute
+  schedule: "*/1 * * * *"

test/conformance/chainsaw/cleanup/v2/validation/cron-format/clusterpolicy.yaml

@@ -0,0 +1,16 @@
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: cleanuppolicy
+spec:
+  match:
+    any:
+    - resources:
+        kinds:
+          - Pod
+  conditions:
+    any:
+    - key: "{{ target.metadata.name }}"
+      operator: Equals
+      value: example
+  schedule: "*/2 * * * *"

test/conformance/chainsaw/cleanup/v2/validation/cron-format/invalidpolicy.yaml

@@ -0,0 +1,17 @@
+apiVersion: kyverno.io/v2
+kind: CleanupPolicy
+metadata:
+  name: cleanuppolicy
+  namespace: default
+spec:
+  match:
+    any:
+    - resources:
+        kinds:
+          - Pod
+  conditions:
+    any:
+    - key: "{{ target.metadata.name }}"
+      operator: Equals
+      value: example
+  schedule: "invalid-schedule"

test/conformance/chainsaw/cleanup/v2/validation/cron-format/policy.yaml

@@ -0,0 +1,17 @@
+apiVersion: kyverno.io/v2
+kind: CleanupPolicy
+metadata:
+  name: cleanuppolicy
+  namespace: default
+spec:
+  match:
+    any:
+    - resources:
+        kinds:
+          - Pod
+  conditions:
+    any:
+    - key: "{{ target.metadata.name }}"
+      operator: Equals
+      value: example
+  schedule: "*/2 * * * *"

test/conformance/chainsaw/cleanup/v2/validation/no-user-info-in-match/cleanuppolicy-with-clusterroles.yaml

@@ -0,0 +1,13 @@
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: cleanuppolicy
+spec:
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+        clusterRoles:
+          - clusteradmin
+  schedule: '* * * * *'

test/conformance/chainsaw/cleanup/v2/validation/no-user-info-in-match/cleanuppolicy-with-roles.yaml

@@ -0,0 +1,13 @@
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: cleanuppolicy
+spec:
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+        roles:
+          - admin
+  schedule: '* * * * *'

test/conformance/chainsaw/cleanup/v2/validation/no-user-info-in-match/cleanuppolicy-with-subjects.yaml

@@ -0,0 +1,14 @@
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: cleanuppolicy
+spec:
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+        subjects:
+          - kind: User
+            name: chip
+  schedule: '* * * * *'

test/conformance/chainsaw/cleanup/v2/validation/not-supported-attributes-in-context/cleanuppolicy-with-configmap.yaml

@@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: cleanup-pod
+spec:
+  context:
+    - name: configData
+      configMap:
+        name: some-config-map
+        namespace: default
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+  conditions:
+    all:
+      - key: "{{ target.metadata.name }}"
+        operator: Equals
+        value: example
+      - key: "{{ target.metadata.namespace }}"
+        operator: Equals
+        value: default
+  ## execute every minute
+  schedule: "*/1 * * * *"

test/conformance/chainsaw/cleanup/v2/validation/not-supported-attributes-in-context/cleanuppolicy-with-image-registry.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: cleanup-pod
+spec:
+  context:
+    - name: imageData
+      imageRegistry:
+        reference: "ghcr.io/kyverno/kyverno"
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+  conditions:
+    all:
+      - key: "{{ target.metadata.name }}"
+        operator: Equals
+        value: "example"
+      - key: "{{ target.metadata.namespace }}"
+        operator: Equals
+        value: default
+  ## execute every minute
+  schedule: "*/1 * * * *"

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/cleanup-pod/README.md

@@ -0,0 +1,9 @@
+# ## Description
+
+This test cleans up pods via a cluster cleanup policy.
+
+## Expected Behavior
+
+The pod `default/example` is cleaned up successfully.
+
+## Reference Issue(s)

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/cleanup-pod/chainsaw-test.yaml

@@ -0,0 +1,31 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cleanup-pod
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: rbac.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod.yaml
+    - assert:
+        file: pod-assert.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy.yaml
+  - name: step-04
+    try:
+    - sleep:
+        duration: 1m5s
+  - name: step-05
+    try:
+    - error:
+        file: pod-assert.yaml

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/cleanup-pod/pod-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+  namespace: default

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/cleanup-pod/pod.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+  namespace: default
+spec:
+  containers:
+  - image: nginx:latest
+    name: example

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/cleanup-pod/rbac.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: test-cleanup-pod
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - delete
+  - list
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-cleanup-pod
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test-cleanup-pod
+subjects:
+- kind: ServiceAccount
+  name: kyverno-cleanup-controller
+  namespace: kyverno

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/context-cleanup-pod/README.md

@@ -0,0 +1,9 @@
+# ## Description
+
+This test cleans up pods via a cluster cleanup policy.
+
+## Expected Behavior
+
+The pod `{{ varname }}` in the namespace `{{ varNamespace }}` set by context variable is cleaned up successfully.
+
+## Reference Issue(s)

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/context-cleanup-pod/chainsaw-test.yaml

@@ -0,0 +1,27 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: context-cleanup-pod
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: rbac.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod.yaml
+    - assert:
+        file: pod-assert.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy.yaml
+  - name: step-05
+    try:
+    - error:
+        file: pod-assert.yaml

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/context-cleanup-pod/pod-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+  namespace: default

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/context-cleanup-pod/pod.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+  namespace: default
+spec:
+  containers:
+  - image: nginx:latest
+    name: example

test/conformance/chainsaw/cleanup/v2beta1/clusterpolicy/context-cleanup-pod/rbac.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: test-cleanup-pod
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - delete
+  - list
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-cleanup-pod
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test-cleanup-pod
+subjects:
+- kind: ServiceAccount
+  name: kyverno-cleanup-controller
+  namespace: kyverno

test/conformance/chainsaw/cleanup/v2beta1/policy/cleanup-pod/README.md

@@ -0,0 +1,10 @@
+# ## Description
+
+This test cleans up pods via a namespaced cleanup policy.
+
+## Expected Behavior
+
+The pod `default/example` is cleaned up successfully.
+
+
+## Reference Issue(s)

test/conformance/chainsaw/cleanup/v2beta1/policy/cleanup-pod/chainsaw-test.yaml

@@ -0,0 +1,27 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cleanup-pod
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: rbac.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod.yaml
+    - assert:
+        file: pod-assert.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy.yaml
+  - name: step-05
+    try:
+    - error:
+        file: pod-assert.yaml

test/conformance/chainsaw/cleanup/v2beta1/policy/cleanup-pod/pod-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+  namespace: default

test/conformance/chainsaw/cleanup/v2beta1/policy/cleanup-pod/pod.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example
+  namespace: default
+spec:
+  containers:
+  - image: nginx:latest
+    name: example

test/conformance/chainsaw/cleanup/v2beta1/policy/cleanup-pod/rbac.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: test-cleanup-pod
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - delete
+  - list
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-cleanup-pod
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test-cleanup-pod
+subjects:
+- kind: ServiceAccount
+  name: kyverno-cleanup-controller
+  namespace: kyverno

test/conformance/chainsaw/cleanup/v2beta1/validation/cron-format/README.md

@@ -0,0 +1,4 @@
+## Description
+
+This test creates tries to create two cleanup policies, one with a valid schedule and one with an invalid schedule.
+The creation of the one with the valid schedule is expected to succeed while the one with the invalid schedule is expected to fail.

test/conformance/chainsaw/cleanup/v2beta1/validation/cron-format/chainsaw-test.yaml

@@ -0,0 +1,26 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cron-format
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: clusterpolicy.yaml
+    - assert:
+        file: clusterpolicy.yaml
+  - name: step-03
+    try:
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: invalidpolicy.yaml

test/conformance/chainsaw/cleanup/v2beta1/validation/no-user-info-in-match/README.md

@@ -0,0 +1,8 @@
+## Description
+
+This test creates a cleanup policy containing user infos in `match` statement.
+The creation should fail as cleanup policies with user infos are not allowed.
+
+## Steps
+
+1.  - Try create a couple of cleanup policies, expecting the creation to fail because they contain user infos

test/conformance/chainsaw/cleanup/v2beta1/validation/no-user-info-in-match/chainsaw-test.yaml

@@ -0,0 +1,24 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: no-user-info-in-match
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: cleanuppolicy-with-subjects.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: cleanuppolicy-with-roles.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: cleanuppolicy-with-clusterroles.yaml

test/conformance/chainsaw/cleanup/v2beta1/validation/not-supported-attributes-in-context/chainsaw-test.yaml

@@ -0,0 +1,19 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: not-supported-attributes-in-context
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: cleanuppolicy-with-image-registry.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: cleanuppolicy-with-configmap.yaml