From 4d29b461ff7c336931521cdab8b1a3c5bcac5c04 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Wed, 9 Oct 2019 18:35:07 -0700 Subject: [PATCH] add require_image_tag_not_latest.yaml --- pkg/testrunner/testrunner_test.go | 20 ++++++------- .../require_image_tag_not_latest.yaml | 28 +++++++++++++++++++ .../require_image_tag_not_latest_deny.yaml | 10 +++++++ .../require_image_tag_not_latest_pass.yaml | 10 +++++++ .../manifest/require_pod_requests_limits.yaml | 1 + ...ate_require_image_tag_not_latest_deny.yaml | 22 +++++++++++++++ ...te_require_image_tag_not_latest_pass.yaml} | 10 +++++-- ..._validate_image_tag_notspecified_deny.yaml | 18 ------------ 8 files changed, 88 insertions(+), 31 deletions(-) create mode 100644 samples/best_practices/require_image_tag_not_latest.yaml create mode 100644 test/manifest/require_image_tag_not_latest_deny.yaml create mode 100644 test/manifest/require_image_tag_not_latest_pass.yaml create mode 100644 test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml rename test/scenarios/test/{scenario_validate_image_tag_notspecified_pass.yaml => scenario_valiadate_require_image_tag_not_latest_pass.yaml} (59%) delete mode 100644 test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 423d2fa876..40cf40347d 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -52,13 +52,13 @@ func Test_validate_image_latest_ifnotpresent_pass(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml") } -func Test_validate_image_tag_notspecified_deny(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml") -} +// func Test_validate_image_tag_notspecified_deny(t *testing.T) { +// testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml") +// } -func Test_validate_image_tag_notspecified_pass(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml") -} +// func Test_validate_image_tag_notspecified_pass(t *testing.T) { +// testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml") +// } func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml") @@ -68,12 +68,12 @@ func Test_validate_image_pullpolicy_notalways_pass(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml") } -func Test_validate_image_tag_latest_deny(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml") +func Test_validate_require_image_tag_not_latest_deny(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml") } -func Test_validate_image_tag_latest_pass(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml") +func Test_validate_require_image_tag_not_latest_pass(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml") } func Test_mutate_pod_disable_automoutingapicred_pass(t *testing.T) { diff --git a/samples/best_practices/require_image_tag_not_latest.yaml b/samples/best_practices/require_image_tag_not_latest.yaml new file mode 100644 index 0000000000..17ad2dece3 --- /dev/null +++ b/samples/best_practices/require_image_tag_not_latest.yaml @@ -0,0 +1,28 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-image-tag +spec: + rules: + - name: image-tag-notspecified + match: + resources: + kinds: + - Pod + validate: + message: "image tag not specified" + pattern: + spec: + containers: + - image: "*:*" + - name: image-tag-not-latest + match: + resources: + kinds: + - Pod + validate: + message: "set image tag to a specific version" + pattern: + spec: + containers: + - image: "!*:latest" diff --git a/test/manifest/require_image_tag_not_latest_deny.yaml b/test/manifest/require_image_tag_not_latest_deny.yaml new file mode 100644 index 0000000000..904f3719e0 --- /dev/null +++ b/test/manifest/require_image_tag_not_latest_deny.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/test/manifest/require_image_tag_not_latest_pass.yaml b/test/manifest/require_image_tag_not_latest_pass.yaml new file mode 100644 index 0000000000..5e83577bb7 --- /dev/null +++ b/test/manifest/require_image_tag_not_latest_pass.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx:1.12 \ No newline at end of file diff --git a/test/manifest/require_pod_requests_limits.yaml b/test/manifest/require_pod_requests_limits.yaml index 78fc52f700..e26d7ecc89 100644 --- a/test/manifest/require_pod_requests_limits.yaml +++ b/test/manifest/require_pod_requests_limits.yaml @@ -11,5 +11,6 @@ spec: resources: requests: memory: "256Mi" + cpu: "0.5" limits: memory: "256Mi" \ No newline at end of file diff --git a/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml b/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml new file mode 100644 index 0000000000..86cb1bcdde --- /dev/null +++ b/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml @@ -0,0 +1,22 @@ +# file path relative to project root +input: + policy: samples/best_practices/require_image_tag_not_latest.yaml + resource: test/manifest/require_image_tag_not_latest_deny.yaml +expected: + validation: + policyresponse: + policy: validate-image-tag + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: image-tag-notspecified + type: Validation + message: "Validation rule 'image-tag-notspecified' succesfully validated" + success: true + - name: image-tag-not-latest + type: Validation + message: "Validation rule 'image-tag-not-latest' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. set image tag to a specific version" + success: false diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml b/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml similarity index 59% rename from test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml rename to test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml index 3b004aff15..0e2622295f 100644 --- a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml +++ b/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml @@ -1,11 +1,11 @@ # file path relative to project root input: - policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml - resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml + policy: samples/best_practices/require_image_tag_not_latest.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml expected: validation: policyresponse: - policy: validate-image-tag-notspecified + policy: validate-image-tag resource: kind: Pod apiVersion: v1 @@ -16,3 +16,7 @@ expected: type: Validation message: "Validation rule 'image-tag-notspecified' succesfully validated" success: true + - name: image-tag-not-latest + type: Validation + message: "Validation rule 'image-tag-not-latest' succesfully validated" + success: true diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml deleted file mode 100644 index ba4e108170..0000000000 --- a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# file path relative to project root -input: - policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml - resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml -expected: - validation: - policyresponse: - policy: validate-image-tag-notspecified - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: myapp-pod - rules: - - name: image-tag-notspecified - type: Validation - message: "Validation rule 'image-tag-notspecified' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. image tag not specified" - success: false