From 4d6a511437860fbe4a7b20328dc9e3474140a824 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 1 Sep 2023 01:08:54 +0200 Subject: [PATCH] fix: multiple test cases for generate policy lead to wrong test results (#8197) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: multiple test cases for generate policy lead to wrong test results Signed-off-by: Charles-Edouard Brétéché * add cli test Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- cmd/cli/kubectl-kyverno/test/test.go | 71 ++++++++++--------- .../generated-resource-1.yaml | 5 ++ .../generated-resource-2.yaml | 5 ++ .../multiple-resources/kyverno-test.yaml | 18 +++++ .../multiple-resources/policy.yaml | 17 +++++ .../multiple-resources/resources.yaml | 11 +++ 6 files changed, 94 insertions(+), 33 deletions(-) create mode 100644 test/cli/test-generate/multiple-resources/generated-resource-1.yaml create mode 100644 test/cli/test-generate/multiple-resources/generated-resource-2.yaml create mode 100644 test/cli/test-generate/multiple-resources/kyverno-test.yaml create mode 100644 test/cli/test-generate/multiple-resources/policy.yaml create mode 100644 test/cli/test-generate/multiple-resources/resources.yaml diff --git a/cmd/cli/kubectl-kyverno/test/test.go b/cmd/cli/kubectl-kyverno/test/test.go index 1f9d1195da..3475c49ca0 100644 --- a/cmd/cli/kubectl-kyverno/test/test.go +++ b/cmd/cli/kubectl-kyverno/test/test.go @@ -397,6 +397,8 @@ func buildPolicyResults( if _, ok := results[resultsKey]; !ok { results[resultsKey] = result } + + buildPolicyResultsForGenerate(resp, test, policyNamespace, policyName, resourceNamespace, resourceKind, resourceName, results, isGit, policyResourcePath, fs) } } } @@ -433,39 +435,7 @@ func buildPolicyResults( if _, ok := results[resultsKey]; !ok { results[resultsKey] = result } - } - } - - for _, rule := range resp.PolicyResponse.Rules { - if rule.RuleType() != engineapi.Generation || test.Rule != rule.Name() { - continue - } - - var resultsKey []string - var resultKey string - var result policyreportv1alpha2.PolicyReportResult - resultsKey = GetAllPossibleResultsKey(policyNamespace, policyName, rule.Name(), resourceNamespace, resourceKind, resourceName, test.IsValidatingAdmissionPolicy) - for _, key := range resultsKey { - if val, ok := results[key]; ok { - result = val - resultKey = key - } else { - continue - } - - if rule.Status() == engineapi.RuleStatusSkip { - result.Result = policyreportv1alpha2.StatusSkip - } else if rule.Status() == engineapi.RuleStatusError { - result.Result = policyreportv1alpha2.StatusError - } else { - var x string - result.Result = policyreportv1alpha2.StatusFail - x = getAndCompareResource(test.GeneratedResource, rule.GeneratedResource(), isGit, policyResourcePath, fs, true) - if x == "pass" { - result.Result = policyreportv1alpha2.StatusPass - } - } - results[resultKey] = result + buildPolicyResultsForGenerate(resp, test, policyNamespace, policyName, resourceNamespace, resourceKind, resourceName, results, isGit, policyResourcePath, fs) } } @@ -549,6 +519,41 @@ func buildPolicyResults( return results, testResults } +func buildPolicyResultsForGenerate(resp engineapi.EngineResponse, test api.TestResults, policyNamespace string, policyName string, resourceNamespace string, resourceKind string, resourceName string, results map[string]policyreportv1alpha2.PolicyReportResult, isGit bool, policyResourcePath string, fs billy.Filesystem) { + for _, rule := range resp.PolicyResponse.Rules { + if rule.RuleType() != engineapi.Generation || test.Rule != rule.Name() { + continue + } + + var resultsKey []string + var resultKey string + var result policyreportv1alpha2.PolicyReportResult + resultsKey = GetAllPossibleResultsKey(policyNamespace, policyName, rule.Name(), resourceNamespace, resourceKind, resourceName, test.IsValidatingAdmissionPolicy) + for _, key := range resultsKey { + if val, ok := results[key]; ok { + result = val + resultKey = key + } else { + continue + } + + if rule.Status() == engineapi.RuleStatusSkip { + result.Result = policyreportv1alpha2.StatusSkip + } else if rule.Status() == engineapi.RuleStatusError { + result.Result = policyreportv1alpha2.StatusError + } else { + var x string + result.Result = policyreportv1alpha2.StatusFail + x = getAndCompareResource(test.GeneratedResource, rule.GeneratedResource(), isGit, policyResourcePath, fs, true) + if x == "pass" { + result.Result = policyreportv1alpha2.StatusPass + } + } + results[resultKey] = result + } + } +} + func GetAllPossibleResultsKey(policyNamespace, policy, rule, resourceNamespace, kind, resource string, isVAP bool) []string { var resultsKey []string var resultKey1, resultKey2, resultKey3, resultKey4 string diff --git a/test/cli/test-generate/multiple-resources/generated-resource-1.yaml b/test/cli/test-generate/multiple-resources/generated-resource-1.yaml new file mode 100644 index 0000000000..9be1787c2d --- /dev/null +++ b/test/cli/test-generate/multiple-resources/generated-resource-1.yaml @@ -0,0 +1,5 @@ +apiVersion: foo/v1 +kind: Foo +metadata: + name: foo-resource-a + namespace: default \ No newline at end of file diff --git a/test/cli/test-generate/multiple-resources/generated-resource-2.yaml b/test/cli/test-generate/multiple-resources/generated-resource-2.yaml new file mode 100644 index 0000000000..948d806ae8 --- /dev/null +++ b/test/cli/test-generate/multiple-resources/generated-resource-2.yaml @@ -0,0 +1,5 @@ +apiVersion: foo/v1 +kind: Foo +metadata: + name: foo-resource-b + namespace: default diff --git a/test/cli/test-generate/multiple-resources/kyverno-test.yaml b/test/cli/test-generate/multiple-resources/kyverno-test.yaml new file mode 100644 index 0000000000..75f928bb84 --- /dev/null +++ b/test/cli/test-generate/multiple-resources/kyverno-test.yaml @@ -0,0 +1,18 @@ +name: multiple-resources +policies: + - policy.yaml +resources: + - resources.yaml +results: + - policy: test-policy + rule: rule + resource: resource-a + generatedResource: generated-resource-1.yaml + kind: Deployment + result: pass + - policy: test-policy + rule: rule + resource: resource-b + generatedResource: generated-resource-2.yaml + kind: Deployment + result: pass \ No newline at end of file diff --git a/test/cli/test-generate/multiple-resources/policy.yaml b/test/cli/test-generate/multiple-resources/policy.yaml new file mode 100644 index 0000000000..9937bbf79b --- /dev/null +++ b/test/cli/test-generate/multiple-resources/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-policy +spec: + rules: + - name: rule + match: + any: + - resources: + kinds: + - Deployment + generate: + apiVersion: foo/v1 + kind: Foo + name: "foo-{{request.object.metadata.name}}" + namespace: "{{request.object.metadata.namespace}}" \ No newline at end of file diff --git a/test/cli/test-generate/multiple-resources/resources.yaml b/test/cli/test-generate/multiple-resources/resources.yaml new file mode 100644 index 0000000000..2a42107849 --- /dev/null +++ b/test/cli/test-generate/multiple-resources/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: resource-a + namespace: default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: resource-b + namespace: default \ No newline at end of file