clean up

pkg/testrunner/testrunner_test.go

@@ -3,135 +3,135 @@ package testrunner
 import "testing"
 
 func Test_Mutate_EndPoint(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_mutate_endPpoint.yaml")
+	testScenario(t, "/test/scenarios/other/scenario_mutate_endpoint.yaml")
 }
 
-func Test_Mutate_imagePullPolicy(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml")
-}
+// func Test_Mutate_imagePullPolicy(t *testing.T) {
+// 	testScenario(t, "/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml")
+// }
 
 func Test_Mutate_Validate_qos(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_mutate_validate_qos.yaml")
+	testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml")
 }
 
-func Test_validate_containerSecurityContext(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml")
-}
+// func Test_validate_containerSecurityContext(t *testing.T) {
+// 	testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml")
+// }
 
 func Test_validate_deny_runasrootuser(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_deny_runasrootuser.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml")
 }
 
 func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_disallow_priviledged_privelegesecalation.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml")
 }
 
 func Test_validate_healthChecks(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_validate_healthChecks.yaml")
+	testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml")
 }
 
 func Test_validate_nonRootUsers(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_validate_nonRootUser.yaml")
+	testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml")
 }
 
 func Test_generate_networkPolicy(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_generate_networkPolicy.yaml")
+	testScenario(t, "/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml")
 }
 
 // namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver
 
-func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml")
-}
+// func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) {
+// 	testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml")
+// }
 
-func Test_validate_image_pullpolicy_notalways_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml")
-}
+// func Test_validate_image_pullpolicy_notalways_pass(t *testing.T) {
+// 	testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml")
+// }
 
 func Test_validate_require_image_tag_not_latest_deny(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml")
 }
 
-func Test_validate_require_image_tag_not_latest_notag(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml")
-}
+// func Test_validate_require_image_tag_not_latest_notag(t *testing.T) {
+// 	testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml")
+// }
 
 func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml")
 }
 
 func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml")
 }
 
 func Test_validate_disallow_default_namespace(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_disallow_default_namespace.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml")
 }
 
 func Test_validate_host_network_port(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml")
 }
 
 func Test_validate_hostPID_hostIPC(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_disallow_hostpid_hostipc.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml")
 }
 
 func Test_validate_not_readonly_rootfilesystem(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_require_readonly_rootfilesystem.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml")
 }
 
 func Test_validate_require_namespace_quota(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_require_namespace_quota.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml")
 }
 
 func Test_validate_disallow_node_port(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_disallow_node_port.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml")
 }
 
 func Test_validate_disallow_default_serviceaccount(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml")
+	testScenario(t, "test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml")
 }
 
 func Test_validate_fsgroup(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_fsgroup.yaml")
+	testScenario(t, "test/scenarios/samples/more/scenario_validate_fsgroup.yaml")
 }
 
 func Test_validate_selinux_context(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_selinux_context.yaml")
+	testScenario(t, "test/scenarios/other/scenario_validate_selinux_context.yaml")
 }
 
 func Test_validate_proc_mount(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_default_proc_mount.yaml")
+	testScenario(t, "test/scenarios/other/scenario_validate_default_proc_mount.yaml")
 }
 
 func Test_validate_container_capabilities(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml")
+	testScenario(t, "test/scenarios/samples/more/scenario_validate_container_capabilities.yaml")
 }
 
 func Test_validate_disallow_sysctl(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_sysctl_configs.yaml")
+	testScenario(t, "test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml")
 }
 
 func Test_validate_volume_whitelist(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_volume_whiltelist.yaml")
+	testScenario(t, "test/scenarios/other/scenario_validate_volume_whiltelist.yaml")
 }
 
 func Test_validate_trusted_image_registries(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_trusted_image_registries.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml")
 }
 
 func Test_require_pod_requests_limits(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml")
 }
 
 func Test_require_probes(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_probes.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_probes.yaml")
 }
 
 func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml")
 }
 
 func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml")
 }

samples/README.md

@@ -143,7 +143,7 @@ All processes inside the pod can be made to run with specific user and groupID b
 ## Configure kernel parameters inside pod
 The Sysctl interface allows to modify kernel parameters at runtime and in the pod can be specified under `securityContext.sysctls`. If kernel parameters in the pod are to be modified, should be handled cautiously, and policy with rules restricting these options will be helpful. We can control minimum and maximum port that a network connection can use as its source(local) port by checking net.ipv4.ip_local_port_range
 
-***Policy YAML***: [policy_validate_container_capabilities.yaml](more/policy_validate_user_group_fsgroup_id.yaml)
+***Policy YAML***: [policy_validate_container_capabilities.yaml](more/policy_validate_sysctl_configs.yaml)
 
 **Additional Information**
 * [List of supported namespaced sysctl interfaces](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) 

samples/more/policy_validate_fsgroup.yaml

@@ -1,22 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-fsgroup
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: validate-fsgroup
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "directory should have group ID 2000"
-      pattern:
-        spec:
-          securityContext:
-            fsGroup: 2000

test/scenarios/mutate/policy_mutate_imagePullPolicy.yaml

@@ -1,28 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: image-pull-policy
-spec:
-  rules:
-  - name: image-pull-policy
-    match:
-      resources:
-        kinds:
-        - Deployment
-        selector:
-          matchLabels:
-            app : nginxlatest
-    exclude:
-      resources:
-        kinds:
-        - DaemonSet
-    mutate:
-      overlay:
-        spec:
-          template:
-            spec:
-              containers:
-              # select images which end with :latest
-              - (image): "*latest"
-                # require that the imagePullPolicy is "IfNotPresent"  
-                imagePullPolicy: IfNotPresent

test/scenarios/other/scenario_mutate_endpoint.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: test/scenarios/mutate/policy_mutate_endpoint.yaml
-  resource: test/scenarios/resources/resource_mutate_endpoint.yaml
+  policy: test/policy/mutate/policy_mutate_endpoint.yaml
+  resource: test/resources/resource_mutate_endpoint.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_endpoint.yaml

test/scenarios/other/scenario_mutate_validate_qos.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: test/scenarios/mutate/policy_mutate_validate_qos.yaml
-  resource: test/scenarios/resources/resource_mutate_validate_qos.yaml
+  policy: test/policy/mutate/policy_mutate_validate_qos.yaml
+  resource: test/resources/resource_mutate_validate_qos.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_validate_qos.yaml

test/scenarios/other/scenario_validate_default_proc_mount.yaml

@@ -1,8 +1,8 @@
 
 # file path relative to project root
 input:
-  policy: test/scenarios/validate/policy_validate_default_proc_mount.yaml
-  resource: test/scenarios/resources/resource_validate_default_proc_mount.yaml
+  policy: test/policy/validate/policy_validate_default_proc_mount.yaml
+  resource: test/resources/resource_validate_default_proc_mount.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: test/scenarios/validate/policy_validate_disallow_default_serviceaccount.yaml
-  resource: test/scenarios/resources/resource_validate_disallow_default_serviceaccount.yaml
+  policy: test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml
+  resource: test/resources/resource_validate_disallow_default_serviceaccount.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/other/scenario_validate_healthChecks.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: test/scenarios/validate/policy_validate_healthChecks.yaml
-  resource: test/scenarios/resources/resource_validate_healthChecks.yaml
+  policy: test/policy/validate/policy_validate_healthChecks.yaml
+  resource: test/resources/resource_validate_healthChecks.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/other/scenario_validate_selinux_context.yaml

@@ -1,8 +1,8 @@
 
 # file path relative to project root
 input:
-  policy: test/scenarios/validate/policy_validate_selinux_context.yaml
-  resource: test/scenarios/resources/resource_validate_selinux_context.yaml
+  policy: test/policy/validate/policy_validate_selinux_context.yaml
+  resource: test/resources/resource_validate_selinux_context.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/other/scenario_validate_volume_whiltelist.yaml

@@ -1,8 +1,8 @@
 
 # file path relative to project root
 input:
-  policy: test/scenarios/validate/policy_validate_volume_whitelist.yaml
-  resource: test/scenarios/resources/resource_validate_volume_whitelist.yaml
+  policy: test/policy/validate/policy_validate_volume_whitelist.yaml
+  resource: test/resources/resource_validate_volume_whitelist.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_default_network_policy.yaml
-  resource: test/scenarios/resources/require_default_network_policy.yaml
+  resource: test/resources/require_default_network_policy.yaml
 expected:
   generation:
     generatedResources:

test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_image_tag_not_latest.yaml
-  resource: test/scenarios/resources/require_image_tag_not_latest_deny.yaml
+  resource: test/resources/require_image_tag_not_latest_deny.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_image_tag_not_latest.yaml
-  resource: test/scenarios/resources/resource_validate_image_tag_latest_pass.yaml
+  resource: test/resources/resource_validate_image_tag_latest_pass.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/deny_runasrootuser.yaml
-  resource: test/scenarios/resources/deny_runasrootuser.yaml
+  resource: test/resources/deny_runasrootuser.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_automountingapicred.yaml
-  resource: test/scenarios/resources/disallow_automountingapicred.yaml
+  resource: test/resources/disallow_automountingapicred.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_default_namespace.yaml
-  resource: test/scenarios/resources/disallow_default_namespace.yaml
+  resource: test/resources/disallow_default_namespace.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_host_filesystem.yaml
-  resource: test/scenarios/resources/disallow_host_filesystem.yaml
+  resource: test/resources/disallow_host_filesystem.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_host_filesystem.yaml
-  resource: test/scenarios/resources/disallow_host_filesystem_pass.yaml
+  resource: test/resources/disallow_host_filesystem_pass.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_host_network_hostport.yaml
-  resource: test/scenarios/resources/disallow_host_network_hostport.yaml
+  resource: test/resources/disallow_host_network_hostport.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:  
   policy: samples/best_practices/disallow_hostpid_hostipc.yaml
-  resource: test/scenarios/resources/disallow_hostpid_hostipc.yaml
+  resource: test/resources/disallow_hostpid_hostipc.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml

@@ -1,8 +1,6 @@
-
-# file path relative to project root
 input:
   policy: samples/best_practices/disallow_node_port.yaml
-  resource: test/scenarios/resources/disallow_node_port.yaml
+  resource: test/resources/disallow_node_port.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_priviledged_priviligedescalation.yaml
-  resource: test/scenarios/resources/disallow_priviledged_priviligedescalation.yaml
+  resource: test/resources/disallow_priviledged_priviligedescalation.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/policy_validate_deny_runasrootuser.yaml
-  resource: test/scenarios/resources/resource_validate_nonRootUser.yaml
+  resource: test/resources/resource_validate_nonRootUser.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_probes.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_probes.yaml
-  resource: test/scenarios/resources/require_probes.yaml
+  resource: test/resources/require_probes.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_namespace_quota.yaml
-  resource: test/scenarios/resources/require_namespace_quota.yaml
+  resource: test/resources/require_namespace_quota.yaml
 expected:
   generation:
     generatedResources:

test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_pod_requests_limits.yaml
-  resource: test/scenarios/resources/require_pod_requests_limits.yaml
+  resource: test/resources/require_pod_requests_limits.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_readonly_rootfilesystem.yaml
-  resource: test/scenarios/resources/require_readonly_rootfilesystem.yaml
+  resource: test/resources/require_readonly_rootfilesystem.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/trusted_image_registries.yaml
-  resource: test/scenarios/resources//trusted_image_registries.yaml
+  resource: test/resources//trusted_image_registries.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/more/scenario_validate_container_capabilities.yaml

@@ -2,7 +2,7 @@
 # file path relative to project root
 input:
   policy: samples/more/policy_validate_container_capabilities.yaml
-  resource: test/scenarios/resources/resource_validate_container_capabilities.yaml
+  resource: test/resources/resource_validate_container_capabilities.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/samples/more/scenario_validate_fsgroup.yaml

@@ -2,7 +2,7 @@
 # file path relative to project root
 input:
   policy: samples/more/policy_validate_user_group_fsgroup_id.yaml
-  resource: test/scenarios/resources/resource_validate_fsgroup.yaml
+  resource: test/resources/resource_validate_fsgroup.yaml
 expected:
   validation:
     policyresponse: