diff --git a/cmd/cli/kubectl-kyverno/commands/test/command.go b/cmd/cli/kubectl-kyverno/commands/test/command.go index 17aa098428..da066537b1 100644 --- a/cmd/cli/kubectl-kyverno/commands/test/command.go +++ b/cmd/cli/kubectl-kyverno/commands/test/command.go @@ -211,12 +211,17 @@ func lookupEngineResponses(test api.TestResults, resourceName string, responses func lookupRuleResponses(test api.TestResults, responses ...engineapi.RuleResponse) []engineapi.RuleResponse { var matches []engineapi.RuleResponse - for _, response := range responses { - rule := response.Name() - if rule != test.Rule && rule != "autogen-"+test.Rule && rule != "autogen-cronjob-"+test.Rule { - continue + // Since there are no rules in case of validating admission policies, responses are returned without checking rule names. + if test.IsValidatingAdmissionPolicy { + matches = responses + } else { + for _, response := range responses { + rule := response.Name() + if rule != test.Rule && rule != "autogen-"+test.Rule && rule != "autogen-cronjob-"+test.Rule { + continue + } + matches = append(matches, response) } - matches = append(matches, response) } return matches } diff --git a/test/cli/test/validating-admission-policies/disallow-host-path/deployments.yaml b/test/cli/test/validating-admission-policies/disallow-host-path/deployments.yaml new file mode 100644 index 0000000000..ff35e80ac9 --- /dev/null +++ b/test/cli/test/validating-admission-policies/disallow-host-path/deployments.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx-server + image: nginx + volumeMounts: + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx-server + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + hostPath: + path: /etc/udev diff --git a/test/cli/test/validating-admission-policies/disallow-host-path/disallow-host-path.yaml b/test/cli/test/validating-admission-policies/disallow-host-path/disallow-host-path.yaml new file mode 100644 index 0000000000..78d44a49c9 --- /dev/null +++ b/test/cli/test/validating-admission-policies/disallow-host-path/disallow-host-path.yaml @@ -0,0 +1,15 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + name: disallow-host-path +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["apps"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["deployments"] + validations: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/cli/test/validating-admission-policies/disallow-host-path/kyverno-test.yaml b/test/cli/test/validating-admission-policies/disallow-host-path/kyverno-test.yaml new file mode 100644 index 0000000000..36b5b9c9dc --- /dev/null +++ b/test/cli/test/validating-admission-policies/disallow-host-path/kyverno-test.yaml @@ -0,0 +1,16 @@ +name: disallow-host-path-test +policies: + - disallow-host-path.yaml +resources: + - deployments.yaml +results: + - policy: disallow-host-path + resource: deployment-pass + isValidatingAdmissionPolicy: true + kind: Deployment + result: pass + - policy: disallow-host-path + resource: deployment-fail + isValidatingAdmissionPolicy: true + kind: Deployment + result: fail