mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
clean conformance (#5089)
* clean conformance Signed-off-by: Chip Zoller <chipzoller@gmail.com> * adjust names Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
parent
822dbdc011
commit
4a41ba910b
9 changed files with 65 additions and 27 deletions
1
test/conformance/manifests/generate/foo.yaml
Normal file
1
test/conformance/manifests/generate/foo.yaml
Normal file
|
@ -0,0 +1 @@
|
|||
# placeholder
|
1
test/conformance/manifests/mutate/foo.yaml
Normal file
1
test/conformance/manifests/mutate/foo.yaml
Normal file
|
@ -0,0 +1 @@
|
|||
# placeholder
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: background-match-clusterroles
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
background: true
|
||||
rules:
|
||||
- name: ns-clusterroles
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
clusterRoles:
|
||||
- foo-admin
|
||||
validate:
|
||||
message: The `owner` label is required for all Namespaces.
|
||||
pattern:
|
||||
metadata:
|
||||
labels:
|
||||
owner: "?*"
|
|
@ -1,18 +1,19 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: background-userinfo-2
|
||||
name: background-match-roles
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
background: true
|
||||
rules:
|
||||
- name: ns-clusterroles-old
|
||||
- name: ns-roles
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
clusterRoles:
|
||||
- foo-admin
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
roles:
|
||||
- foo-role
|
||||
validate:
|
||||
message: The `owner` label is required for all Namespaces.
|
||||
pattern:
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: background-userinfo-1
|
||||
name: background-vars-roles
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
background: true
|
||||
rules:
|
||||
- name: ns-vars
|
||||
- name: ns-vars-roles
|
||||
match:
|
||||
any:
|
||||
- resources:
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-labels
|
||||
name: background-vars-serviceaccountname
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
background: true
|
||||
rules:
|
||||
- name: ns-vars
|
||||
- name: ns-vars-serviceaccountname
|
||||
match:
|
||||
any:
|
||||
- resources:
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-labels
|
||||
name: background-vars-userinfo
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
background: true
|
||||
rules:
|
||||
- name: ns-vars
|
||||
- name: ns-vars-userinfo
|
||||
match:
|
||||
any:
|
||||
- resources:
|
1
test/conformance/manifests/verifyImages/foo.yaml
Normal file
1
test/conformance/manifests/verifyImages/foo.yaml
Normal file
|
@ -0,0 +1 @@
|
|||
# placeholder
|
|
@ -1,52 +1,64 @@
|
|||
should-fail:
|
||||
- description: Policy with backgound enabled and referencing user infos should be rejected
|
||||
validate-fail:
|
||||
- description: Policy with background enabled and referencing clusterRoles in match/exclude statements should be rejected
|
||||
kubectl:
|
||||
args:
|
||||
- create
|
||||
- -f
|
||||
- test/conformance/manifests/should-fail/background-userinfo-1.yaml
|
||||
- test/conformance/manifests/validate/fail/background-match-clusterroles.yaml
|
||||
expect:
|
||||
exitcode: 1
|
||||
stderr: >-
|
||||
Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-1.yaml":
|
||||
Error from server: error when creating "test/conformance/manifests/validate/fail/background-match-clusterroles.yaml":
|
||||
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
||||
Set spec.background=false to disable background mode for this policy rule: variable {{request.roles}} is not allowed
|
||||
- description: Policy with backgound enabled and referencing user infos should be rejected
|
||||
- description: Policy with background enabled and referencing roles in match/exclude statements should be rejected
|
||||
kubectl:
|
||||
args:
|
||||
- create
|
||||
- -f
|
||||
- test/conformance/manifests/should-fail/background-userinfo-2.yaml
|
||||
- test/conformance/manifests/validate/fail/background-match-roles.yaml
|
||||
expect:
|
||||
exitcode: 1
|
||||
stderr: >-
|
||||
Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-2.yaml":
|
||||
Error from server: error when creating "test/conformance/manifests/validate/fail/background-match-roles.yaml":
|
||||
admission webhook "validate-policy.kyverno.svc" denied the request:
|
||||
only select variables are allowed in background mode.
|
||||
Set spec.background=false to disable background mode for this policy rule:
|
||||
invalid variable used at path: spec/rules[0]/match/clusterRoles
|
||||
- description: Policy with backgound enabled and referencing user infos should be rejected
|
||||
invalid variable used at path: spec/rules[0]/match/any[0]/roles
|
||||
- description: Policy with background enabled and referencing the var request.roles should be rejected.
|
||||
kubectl:
|
||||
args:
|
||||
- create
|
||||
- -f
|
||||
- test/conformance/manifests/should-fail/background-userinfo-3.yaml
|
||||
- test/conformance/manifests/validate/fail/background-vars-roles.yaml
|
||||
expect:
|
||||
exitcode: 1
|
||||
stderr: >-
|
||||
Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-3.yaml":
|
||||
Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-roles.yaml":
|
||||
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
||||
Set spec.background=false to disable background mode for this policy rule: variable "{{request.roles}} is not allowed
|
||||
- description: Policy with background enabled and referencing the var request.userInfo should be rejected.
|
||||
kubectl:
|
||||
args:
|
||||
- create
|
||||
- -f
|
||||
- test/conformance/manifests/validate/fail/background-vars-userinfo.yaml
|
||||
expect:
|
||||
exitcode: 1
|
||||
stderr: >-
|
||||
Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-userinfo.yaml":
|
||||
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
||||
Set spec.background=false to disable background mode for this policy rule: variable {{request.userInfo}} is not allowed
|
||||
- description: Policy with backgound enabled and referencing user infos should be rejected
|
||||
- description: Policy with background enabled and referencing the var request.serviceaccountname should be rejected.
|
||||
kubectl:
|
||||
args:
|
||||
- create
|
||||
- -f
|
||||
- test/conformance/manifests/should-fail/background-userinfo-4.yaml
|
||||
- test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml
|
||||
expect:
|
||||
exitcode: 1
|
||||
stderr: >-
|
||||
Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-4.yaml":
|
||||
Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml":
|
||||
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
||||
Set spec.background=false to disable background mode for this policy rule: variable {{serviceAccountName}} is not allowed
|
||||
- description: Best practice policies should create fine
|
||||
|
|
Loading…
Add table
Reference in a new issue