diff --git a/test/conformance/manifests/generate/foo.yaml b/test/conformance/manifests/generate/foo.yaml new file mode 100644 index 0000000000..f4572339b9 --- /dev/null +++ b/test/conformance/manifests/generate/foo.yaml @@ -0,0 +1 @@ +# placeholder \ No newline at end of file diff --git a/test/conformance/manifests/mutate/foo.yaml b/test/conformance/manifests/mutate/foo.yaml new file mode 100644 index 0000000000..f4572339b9 --- /dev/null +++ b/test/conformance/manifests/mutate/foo.yaml @@ -0,0 +1 @@ +# placeholder \ No newline at end of file diff --git a/test/conformance/manifests/validate/fail/background-match-clusterroles.yaml b/test/conformance/manifests/validate/fail/background-match-clusterroles.yaml new file mode 100644 index 0000000000..74884770cc --- /dev/null +++ b/test/conformance/manifests/validate/fail/background-match-clusterroles.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-match-clusterroles +spec: + validationFailureAction: audit + background: true + rules: + - name: ns-clusterroles + match: + any: + - resources: + kinds: + - Pod + clusterRoles: + - foo-admin + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "?*" diff --git a/test/conformance/manifests/should-fail/background-userinfo-2.yaml b/test/conformance/manifests/validate/fail/background-match-roles.yaml similarity index 65% rename from test/conformance/manifests/should-fail/background-userinfo-2.yaml rename to test/conformance/manifests/validate/fail/background-match-roles.yaml index 8d1ee8ee8c..b247f9a215 100644 --- a/test/conformance/manifests/should-fail/background-userinfo-2.yaml +++ b/test/conformance/manifests/validate/fail/background-match-roles.yaml @@ -1,18 +1,19 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: background-userinfo-2 + name: background-match-roles spec: validationFailureAction: audit background: true rules: - - name: ns-clusterroles-old + - name: ns-roles match: - resources: - kinds: - - Pod - clusterRoles: - - foo-admin + any: + - resources: + kinds: + - Pod + roles: + - foo-role validate: message: The `owner` label is required for all Namespaces. pattern: diff --git a/test/conformance/manifests/should-fail/background-userinfo-1.yaml b/test/conformance/manifests/validate/fail/background-vars-roles.yaml similarity index 87% rename from test/conformance/manifests/should-fail/background-userinfo-1.yaml rename to test/conformance/manifests/validate/fail/background-vars-roles.yaml index b207a0b884..541569ce04 100644 --- a/test/conformance/manifests/should-fail/background-userinfo-1.yaml +++ b/test/conformance/manifests/validate/fail/background-vars-roles.yaml @@ -1,12 +1,12 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: background-userinfo-1 + name: background-vars-roles spec: validationFailureAction: audit background: true rules: - - name: ns-vars + - name: ns-vars-roles match: any: - resources: diff --git a/test/conformance/manifests/should-fail/background-userinfo-4.yaml b/test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml similarity index 82% rename from test/conformance/manifests/should-fail/background-userinfo-4.yaml rename to test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml index 23ab95ecd3..2efd9e3834 100644 --- a/test/conformance/manifests/should-fail/background-userinfo-4.yaml +++ b/test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml @@ -1,12 +1,12 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: validate-labels + name: background-vars-serviceaccountname spec: validationFailureAction: audit background: true rules: - - name: ns-vars + - name: ns-vars-serviceaccountname match: any: - resources: diff --git a/test/conformance/manifests/should-fail/background-userinfo-3.yaml b/test/conformance/manifests/validate/fail/background-vars-userinfo.yaml similarity index 86% rename from test/conformance/manifests/should-fail/background-userinfo-3.yaml rename to test/conformance/manifests/validate/fail/background-vars-userinfo.yaml index 820bc7595e..087ae2e26a 100644 --- a/test/conformance/manifests/should-fail/background-userinfo-3.yaml +++ b/test/conformance/manifests/validate/fail/background-vars-userinfo.yaml @@ -1,12 +1,12 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: validate-labels + name: background-vars-userinfo spec: validationFailureAction: audit background: true rules: - - name: ns-vars + - name: ns-vars-userinfo match: any: - resources: diff --git a/test/conformance/manifests/verifyImages/foo.yaml b/test/conformance/manifests/verifyImages/foo.yaml new file mode 100644 index 0000000000..f4572339b9 --- /dev/null +++ b/test/conformance/manifests/verifyImages/foo.yaml @@ -0,0 +1 @@ +# placeholder \ No newline at end of file diff --git a/test/conformance/tests.yaml b/test/conformance/tests.yaml index f8b89c930d..9ed36b6f23 100644 --- a/test/conformance/tests.yaml +++ b/test/conformance/tests.yaml @@ -1,52 +1,64 @@ -should-fail: - - description: Policy with backgound enabled and referencing user infos should be rejected +validate-fail: + - description: Policy with background enabled and referencing clusterRoles in match/exclude statements should be rejected kubectl: args: - create - -f - - test/conformance/manifests/should-fail/background-userinfo-1.yaml + - test/conformance/manifests/validate/fail/background-match-clusterroles.yaml expect: exitcode: 1 stderr: >- - Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-1.yaml": + Error from server: error when creating "test/conformance/manifests/validate/fail/background-match-clusterroles.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: variable {{request.roles}} is not allowed - - description: Policy with backgound enabled and referencing user infos should be rejected + - description: Policy with background enabled and referencing roles in match/exclude statements should be rejected kubectl: args: - create - -f - - test/conformance/manifests/should-fail/background-userinfo-2.yaml + - test/conformance/manifests/validate/fail/background-match-roles.yaml expect: exitcode: 1 stderr: >- - Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-2.yaml": + Error from server: error when creating "test/conformance/manifests/validate/fail/background-match-roles.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: - invalid variable used at path: spec/rules[0]/match/clusterRoles - - description: Policy with backgound enabled and referencing user infos should be rejected + invalid variable used at path: spec/rules[0]/match/any[0]/roles + - description: Policy with background enabled and referencing the var request.roles should be rejected. kubectl: args: - create - -f - - test/conformance/manifests/should-fail/background-userinfo-3.yaml + - test/conformance/manifests/validate/fail/background-vars-roles.yaml expect: exitcode: 1 stderr: >- - Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-3.yaml": + Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-roles.yaml": + admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. + Set spec.background=false to disable background mode for this policy rule: variable "{{request.roles}} is not allowed + - description: Policy with background enabled and referencing the var request.userInfo should be rejected. + kubectl: + args: + - create + - -f + - test/conformance/manifests/validate/fail/background-vars-userinfo.yaml + expect: + exitcode: 1 + stderr: >- + Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-userinfo.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: variable {{request.userInfo}} is not allowed - - description: Policy with backgound enabled and referencing user infos should be rejected + - description: Policy with background enabled and referencing the var request.serviceaccountname should be rejected. kubectl: args: - create - -f - - test/conformance/manifests/should-fail/background-userinfo-4.yaml + - test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml expect: exitcode: 1 stderr: >- - Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-4.yaml": + Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: variable {{serviceAccountName}} is not allowed - description: Best practice policies should create fine