diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 1ba7c92929..dca74585cc 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -3,135 +3,135 @@ package testrunner import "testing" func Test_Mutate_EndPoint(t *testing.T) { - testScenario(t, "/test/scenarios/test/scenario_mutate_endPpoint.yaml") + testScenario(t, "/test/scenarios/other/scenario_mutate_endpoint.yaml") } -func Test_Mutate_imagePullPolicy(t *testing.T) { - testScenario(t, "/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml") -} +// func Test_Mutate_imagePullPolicy(t *testing.T) { +// testScenario(t, "/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml") +// } func Test_Mutate_Validate_qos(t *testing.T) { - testScenario(t, "/test/scenarios/test/scenario_mutate_validate_qos.yaml") + testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml") } -func Test_validate_containerSecurityContext(t *testing.T) { - testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml") -} +// func Test_validate_containerSecurityContext(t *testing.T) { +// testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml") +// } func Test_validate_deny_runasrootuser(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_deny_runasrootuser.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml") } func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_disallow_priviledged_privelegesecalation.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml") } func Test_validate_healthChecks(t *testing.T) { - testScenario(t, "/test/scenarios/test/scenario_validate_healthChecks.yaml") + testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml") } func Test_validate_nonRootUsers(t *testing.T) { - testScenario(t, "/test/scenarios/test/scenario_validate_nonRootUser.yaml") + testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml") } func Test_generate_networkPolicy(t *testing.T) { - testScenario(t, "/test/scenarios/test/scenario_generate_networkPolicy.yaml") + testScenario(t, "/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml") } // namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver -func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml") -} +// func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) { +// testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml") +// } -func Test_validate_image_pullpolicy_notalways_pass(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml") -} +// func Test_validate_image_pullpolicy_notalways_pass(t *testing.T) { +// testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml") +// } func Test_validate_require_image_tag_not_latest_deny(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml") } -func Test_validate_require_image_tag_not_latest_notag(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml") -} +// func Test_validate_require_image_tag_not_latest_notag(t *testing.T) { +// testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml") +// } func Test_validate_require_image_tag_not_latest_pass(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml") } func Test_validate_disallow_automoutingapicred_pass(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml") } func Test_validate_disallow_default_namespace(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_disallow_default_namespace.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml") } func Test_validate_host_network_port(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml") } func Test_validate_hostPID_hostIPC(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_disallow_hostpid_hostipc.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml") } func Test_validate_not_readonly_rootfilesystem(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_require_readonly_rootfilesystem.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml") } func Test_validate_require_namespace_quota(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_require_namespace_quota.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml") } func Test_validate_disallow_node_port(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_disallow_node_port.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml") } func Test_validate_disallow_default_serviceaccount(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml") + testScenario(t, "test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml") } func Test_validate_fsgroup(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_fsgroup.yaml") + testScenario(t, "test/scenarios/samples/more/scenario_validate_fsgroup.yaml") } func Test_validate_selinux_context(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_selinux_context.yaml") + testScenario(t, "test/scenarios/other/scenario_validate_selinux_context.yaml") } func Test_validate_proc_mount(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_default_proc_mount.yaml") + testScenario(t, "test/scenarios/other/scenario_validate_default_proc_mount.yaml") } func Test_validate_container_capabilities(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml") + testScenario(t, "test/scenarios/samples/more/scenario_validate_container_capabilities.yaml") } func Test_validate_disallow_sysctl(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_sysctl_configs.yaml") + testScenario(t, "test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml") } func Test_validate_volume_whitelist(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_volume_whiltelist.yaml") + testScenario(t, "test/scenarios/other/scenario_validate_volume_whiltelist.yaml") } func Test_validate_trusted_image_registries(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_trusted_image_registries.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml") } func Test_require_pod_requests_limits(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml") } func Test_require_probes(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_probes.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_probes.yaml") } func Test_validate_disallow_host_filesystem_fail(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml") } func Test_validate_disallow_host_filesystem_pass(t *testing.T) { - testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml") + testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml") } diff --git a/samples/README.md b/samples/README.md index 3b207c9876..4210b53dfe 100644 --- a/samples/README.md +++ b/samples/README.md @@ -143,7 +143,7 @@ All processes inside the pod can be made to run with specific user and groupID b ## Configure kernel parameters inside pod The Sysctl interface allows to modify kernel parameters at runtime and in the pod can be specified under `securityContext.sysctls`. If kernel parameters in the pod are to be modified, should be handled cautiously, and policy with rules restricting these options will be helpful. We can control minimum and maximum port that a network connection can use as its source(local) port by checking net.ipv4.ip_local_port_range -***Policy YAML***: [policy_validate_container_capabilities.yaml](more/policy_validate_user_group_fsgroup_id.yaml) +***Policy YAML***: [policy_validate_container_capabilities.yaml](more/policy_validate_sysctl_configs.yaml) **Additional Information** * [List of supported namespaced sysctl interfaces](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) diff --git a/samples/more/policy_validate_fsgroup.yaml b/samples/more/policy_validate_fsgroup.yaml deleted file mode 100644 index 13387c366d..0000000000 --- a/samples/more/policy_validate_fsgroup.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-fsgroup -spec: - validationFailureAction: "audit" - rules: - - name: validate-fsgroup - exclude: - resources: - namespaces: - - kube-system - match: - resources: - kinds: - - Pod - validate: - message: "directory should have group ID 2000" - pattern: - spec: - securityContext: - fsGroup: 2000 \ No newline at end of file diff --git a/test/scenarios/cli/cli.yaml b/test/policy/cli/cli.yaml similarity index 100% rename from test/scenarios/cli/cli.yaml rename to test/policy/cli/cli.yaml diff --git a/test/scenarios/cli/ghost.yaml b/test/policy/cli/ghost.yaml similarity index 100% rename from test/scenarios/cli/ghost.yaml rename to test/policy/cli/ghost.yaml diff --git a/test/scenarios/cli/nginx.yaml b/test/policy/cli/nginx.yaml similarity index 100% rename from test/scenarios/cli/nginx.yaml rename to test/policy/cli/nginx.yaml diff --git a/test/scenarios/cli/policy_deployment.yaml b/test/policy/cli/policy_deployment.yaml similarity index 100% rename from test/scenarios/cli/policy_deployment.yaml rename to test/policy/cli/policy_deployment.yaml diff --git a/test/scenarios/generate/generate.yaml b/test/policy/generate/generate.yaml similarity index 100% rename from test/scenarios/generate/generate.yaml rename to test/policy/generate/generate.yaml diff --git a/test/scenarios/mutate/overlay.yaml b/test/policy/mutate/overlay.yaml similarity index 100% rename from test/scenarios/mutate/overlay.yaml rename to test/policy/mutate/overlay.yaml diff --git a/test/scenarios/mutate/patches.yaml b/test/policy/mutate/patches.yaml similarity index 100% rename from test/scenarios/mutate/patches.yaml rename to test/policy/mutate/patches.yaml diff --git a/test/scenarios/mutate/policy_mutate_endpoint.yaml b/test/policy/mutate/policy_mutate_endpoint.yaml similarity index 100% rename from test/scenarios/mutate/policy_mutate_endpoint.yaml rename to test/policy/mutate/policy_mutate_endpoint.yaml diff --git a/test/scenarios/mutate/policy_mutate_pod_disable_automountingapicred.yaml b/test/policy/mutate/policy_mutate_pod_disable_automountingapicred.yaml similarity index 100% rename from test/scenarios/mutate/policy_mutate_pod_disable_automountingapicred.yaml rename to test/policy/mutate/policy_mutate_pod_disable_automountingapicred.yaml diff --git a/test/scenarios/mutate/policy_mutate_validate_qos.yaml b/test/policy/mutate/policy_mutate_validate_qos.yaml similarity index 100% rename from test/scenarios/mutate/policy_mutate_validate_qos.yaml rename to test/policy/mutate/policy_mutate_validate_qos.yaml diff --git a/test/scenarios/mutate/resource_mutate_pod_disable_automountingapicred.yaml b/test/policy/mutate/resource_mutate_pod_disable_automountingapicred.yaml similarity index 100% rename from test/scenarios/mutate/resource_mutate_pod_disable_automountingapicred.yaml rename to test/policy/mutate/resource_mutate_pod_disable_automountingapicred.yaml diff --git a/test/ConfigMap/policy-CM.yaml b/test/policy/policy-CM.yaml similarity index 100% rename from test/ConfigMap/policy-CM.yaml rename to test/policy/policy-CM.yaml diff --git a/test/scenarios/query/policy_validate_loadblancer.yaml b/test/policy/query/policy_validate_loadblancer.yaml similarity index 100% rename from test/scenarios/query/policy_validate_loadblancer.yaml rename to test/policy/query/policy_validate_loadblancer.yaml diff --git a/test/scenarios/query/policy_validate_no_loadblancer.yaml b/test/policy/query/policy_validate_no_loadblancer.yaml similarity index 100% rename from test/scenarios/query/policy_validate_no_loadblancer.yaml rename to test/policy/query/policy_validate_no_loadblancer.yaml diff --git a/test/scenarios/validate/check_cpu_memory.yaml b/test/policy/validate/check_cpu_memory.yaml similarity index 100% rename from test/scenarios/validate/check_cpu_memory.yaml rename to test/policy/validate/check_cpu_memory.yaml diff --git a/test/scenarios/validate/check_hostpath.yaml b/test/policy/validate/check_hostpath.yaml similarity index 100% rename from test/scenarios/validate/check_hostpath.yaml rename to test/policy/validate/check_hostpath.yaml diff --git a/test/scenarios/validate/check_image_version.yaml b/test/policy/validate/check_image_version.yaml similarity index 100% rename from test/scenarios/validate/check_image_version.yaml rename to test/policy/validate/check_image_version.yaml diff --git a/test/scenarios/validate/check_memory_requests_same_yaml.yaml b/test/policy/validate/check_memory_requests_same_yaml.yaml similarity index 100% rename from test/scenarios/validate/check_memory_requests_same_yaml.yaml rename to test/policy/validate/check_memory_requests_same_yaml.yaml diff --git a/test/scenarios/validate/check_memory_requests_same_yaml_relative.yaml b/test/policy/validate/check_memory_requests_same_yaml_relative.yaml similarity index 100% rename from test/scenarios/validate/check_memory_requests_same_yaml_relative.yaml rename to test/policy/validate/check_memory_requests_same_yaml_relative.yaml diff --git a/test/scenarios/validate/check_nodeport.yaml b/test/policy/validate/check_nodeport.yaml similarity index 100% rename from test/scenarios/validate/check_nodeport.yaml rename to test/policy/validate/check_nodeport.yaml diff --git a/test/scenarios/validate/check_not_root.yaml b/test/policy/validate/check_not_root.yaml similarity index 100% rename from test/scenarios/validate/check_not_root.yaml rename to test/policy/validate/check_not_root.yaml diff --git a/test/scenarios/validate/check_probe_exists.yaml b/test/policy/validate/check_probe_exists.yaml similarity index 100% rename from test/scenarios/validate/check_probe_exists.yaml rename to test/policy/validate/check_probe_exists.yaml diff --git a/test/scenarios/validate/check_probe_intervals.yaml b/test/policy/validate/check_probe_intervals.yaml similarity index 100% rename from test/scenarios/validate/check_probe_intervals.yaml rename to test/policy/validate/check_probe_intervals.yaml diff --git a/test/scenarios/validate/check_registries.yaml b/test/policy/validate/check_registries.yaml similarity index 100% rename from test/scenarios/validate/check_registries.yaml rename to test/policy/validate/check_registries.yaml diff --git a/test/scenarios/validate/policy_validate_default_proc_mount.yaml b/test/policy/validate/policy_validate_default_proc_mount.yaml similarity index 100% rename from test/scenarios/validate/policy_validate_default_proc_mount.yaml rename to test/policy/validate/policy_validate_default_proc_mount.yaml diff --git a/test/scenarios/validate/policy_validate_disallow_default_serviceaccount.yaml b/test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml similarity index 100% rename from test/scenarios/validate/policy_validate_disallow_default_serviceaccount.yaml rename to test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml diff --git a/test/scenarios/validate/policy_validate_healthChecks.yaml b/test/policy/validate/policy_validate_healthChecks.yaml similarity index 100% rename from test/scenarios/validate/policy_validate_healthChecks.yaml rename to test/policy/validate/policy_validate_healthChecks.yaml diff --git a/test/scenarios/validate/policy_validate_selinux_context.yaml b/test/policy/validate/policy_validate_selinux_context.yaml similarity index 100% rename from test/scenarios/validate/policy_validate_selinux_context.yaml rename to test/policy/validate/policy_validate_selinux_context.yaml diff --git a/test/scenarios/validate/policy_validate_volume_whitelist.yaml b/test/policy/validate/policy_validate_volume_whitelist.yaml similarity index 100% rename from test/scenarios/validate/policy_validate_volume_whitelist.yaml rename to test/policy/validate/policy_validate_volume_whitelist.yaml diff --git a/test/ConfigMap/CM.yaml b/test/resources/CM.yaml similarity index 100% rename from test/ConfigMap/CM.yaml rename to test/resources/CM.yaml diff --git a/test/scenarios/resources/deny_runasrootuser.yaml b/test/resources/deny_runasrootuser.yaml similarity index 100% rename from test/scenarios/resources/deny_runasrootuser.yaml rename to test/resources/deny_runasrootuser.yaml diff --git a/test/scenarios/resources/disallow_automountingapicred.yaml b/test/resources/disallow_automountingapicred.yaml similarity index 100% rename from test/scenarios/resources/disallow_automountingapicred.yaml rename to test/resources/disallow_automountingapicred.yaml diff --git a/test/scenarios/resources/disallow_default_namespace.yaml b/test/resources/disallow_default_namespace.yaml similarity index 100% rename from test/scenarios/resources/disallow_default_namespace.yaml rename to test/resources/disallow_default_namespace.yaml diff --git a/test/scenarios/resources/disallow_host_filesystem.yaml b/test/resources/disallow_host_filesystem.yaml similarity index 100% rename from test/scenarios/resources/disallow_host_filesystem.yaml rename to test/resources/disallow_host_filesystem.yaml diff --git a/test/scenarios/resources/disallow_host_filesystem_pass.yaml b/test/resources/disallow_host_filesystem_pass.yaml similarity index 100% rename from test/scenarios/resources/disallow_host_filesystem_pass.yaml rename to test/resources/disallow_host_filesystem_pass.yaml diff --git a/test/scenarios/resources/disallow_host_network_hostport.yaml b/test/resources/disallow_host_network_hostport.yaml similarity index 100% rename from test/scenarios/resources/disallow_host_network_hostport.yaml rename to test/resources/disallow_host_network_hostport.yaml diff --git a/test/scenarios/resources/disallow_hostpid_hostipc.yaml b/test/resources/disallow_hostpid_hostipc.yaml similarity index 100% rename from test/scenarios/resources/disallow_hostpid_hostipc.yaml rename to test/resources/disallow_hostpid_hostipc.yaml diff --git a/test/scenarios/resources/disallow_node_port.yaml b/test/resources/disallow_node_port.yaml similarity index 100% rename from test/scenarios/resources/disallow_node_port.yaml rename to test/resources/disallow_node_port.yaml diff --git a/test/scenarios/resources/disallow_priviledged_priviligedescalation.yaml b/test/resources/disallow_priviledged_priviligedescalation.yaml similarity index 100% rename from test/scenarios/resources/disallow_priviledged_priviligedescalation.yaml rename to test/resources/disallow_priviledged_priviligedescalation.yaml diff --git a/test/scenarios/resources/require_default_network_policy.yaml b/test/resources/require_default_network_policy.yaml similarity index 100% rename from test/scenarios/resources/require_default_network_policy.yaml rename to test/resources/require_default_network_policy.yaml diff --git a/test/scenarios/resources/require_image_tag_not_latest_deny.yaml b/test/resources/require_image_tag_not_latest_deny.yaml similarity index 100% rename from test/scenarios/resources/require_image_tag_not_latest_deny.yaml rename to test/resources/require_image_tag_not_latest_deny.yaml diff --git a/test/scenarios/resources/require_image_tag_not_latest_notag.yaml b/test/resources/require_image_tag_not_latest_notag.yaml similarity index 100% rename from test/scenarios/resources/require_image_tag_not_latest_notag.yaml rename to test/resources/require_image_tag_not_latest_notag.yaml diff --git a/test/scenarios/resources/require_image_tag_not_latest_pass.yaml b/test/resources/require_image_tag_not_latest_pass.yaml similarity index 100% rename from test/scenarios/resources/require_image_tag_not_latest_pass.yaml rename to test/resources/require_image_tag_not_latest_pass.yaml diff --git a/test/scenarios/resources/require_namespace_quota.yaml b/test/resources/require_namespace_quota.yaml similarity index 100% rename from test/scenarios/resources/require_namespace_quota.yaml rename to test/resources/require_namespace_quota.yaml diff --git a/test/scenarios/resources/require_pod_requests_limits.yaml b/test/resources/require_pod_requests_limits.yaml similarity index 100% rename from test/scenarios/resources/require_pod_requests_limits.yaml rename to test/resources/require_pod_requests_limits.yaml diff --git a/test/scenarios/resources/require_probes.yaml b/test/resources/require_probes.yaml similarity index 100% rename from test/scenarios/resources/require_probes.yaml rename to test/resources/require_probes.yaml diff --git a/test/scenarios/resources/require_readonly_rootfilesystem.yaml b/test/resources/require_readonly_rootfilesystem.yaml similarity index 100% rename from test/scenarios/resources/require_readonly_rootfilesystem.yaml rename to test/resources/require_readonly_rootfilesystem.yaml diff --git a/test/scenarios/resources/resource_default_namespace.yaml b/test/resources/resource_default_namespace.yaml similarity index 100% rename from test/scenarios/resources/resource_default_namespace.yaml rename to test/resources/resource_default_namespace.yaml diff --git a/test/scenarios/resources/resource_generate_networkPolicy.yaml b/test/resources/resource_generate_networkPolicy.yaml similarity index 100% rename from test/scenarios/resources/resource_generate_networkPolicy.yaml rename to test/resources/resource_generate_networkPolicy.yaml diff --git a/test/scenarios/resources/resource_mutate_endpoint.yaml b/test/resources/resource_mutate_endpoint.yaml similarity index 100% rename from test/scenarios/resources/resource_mutate_endpoint.yaml rename to test/resources/resource_mutate_endpoint.yaml diff --git a/test/scenarios/resources/resource_mutate_imagePullPolicy.yaml b/test/resources/resource_mutate_imagePullPolicy.yaml similarity index 100% rename from test/scenarios/resources/resource_mutate_imagePullPolicy.yaml rename to test/resources/resource_mutate_imagePullPolicy.yaml diff --git a/test/scenarios/resources/resource_mutate_validate_qos.yaml b/test/resources/resource_mutate_validate_qos.yaml similarity index 100% rename from test/scenarios/resources/resource_mutate_validate_qos.yaml rename to test/resources/resource_mutate_validate_qos.yaml diff --git a/test/scenarios/resources/resource_validate_containerSecurityContext.yaml b/test/resources/resource_validate_containerSecurityContext.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_containerSecurityContext.yaml rename to test/resources/resource_validate_containerSecurityContext.yaml diff --git a/test/scenarios/resources/resource_validate_container_capabilities.yaml b/test/resources/resource_validate_container_capabilities.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_container_capabilities.yaml rename to test/resources/resource_validate_container_capabilities.yaml diff --git a/test/scenarios/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml b/test/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml rename to test/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml diff --git a/test/scenarios/resources/resource_validate_default_proc_mount.yaml b/test/resources/resource_validate_default_proc_mount.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_default_proc_mount.yaml rename to test/resources/resource_validate_default_proc_mount.yaml diff --git a/test/scenarios/resources/resource_validate_disallow_default_serviceaccount.yaml b/test/resources/resource_validate_disallow_default_serviceaccount.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_disallow_default_serviceaccount.yaml rename to test/resources/resource_validate_disallow_default_serviceaccount.yaml diff --git a/test/scenarios/resources/resource_validate_fsgroup.yaml b/test/resources/resource_validate_fsgroup.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_fsgroup.yaml rename to test/resources/resource_validate_fsgroup.yaml diff --git a/test/scenarios/resources/resource_validate_healthChecks.yaml b/test/resources/resource_validate_healthChecks.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_healthChecks.yaml rename to test/resources/resource_validate_healthChecks.yaml diff --git a/test/scenarios/resources/resource_validate_imageRegistries.yaml b/test/resources/resource_validate_imageRegistries.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_imageRegistries.yaml rename to test/resources/resource_validate_imageRegistries.yaml diff --git a/test/scenarios/resources/resource_validate_image_pullpolicy_notalways_deny.yaml b/test/resources/resource_validate_image_pullpolicy_notalways_deny.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_image_pullpolicy_notalways_deny.yaml rename to test/resources/resource_validate_image_pullpolicy_notalways_deny.yaml diff --git a/test/scenarios/resources/resource_validate_image_pullpolicy_notalways_pass.yaml b/test/resources/resource_validate_image_pullpolicy_notalways_pass.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_image_pullpolicy_notalways_pass.yaml rename to test/resources/resource_validate_image_pullpolicy_notalways_pass.yaml diff --git a/test/scenarios/resources/resource_validate_image_tag_latest_pass.yaml b/test/resources/resource_validate_image_tag_latest_pass.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_image_tag_latest_pass.yaml rename to test/resources/resource_validate_image_tag_latest_pass.yaml diff --git a/test/scenarios/resources/resource_validate_nonRootUser.yaml b/test/resources/resource_validate_nonRootUser.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_nonRootUser.yaml rename to test/resources/resource_validate_nonRootUser.yaml diff --git a/test/scenarios/resources/resource_validate_selinux_context.yaml b/test/resources/resource_validate_selinux_context.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_selinux_context.yaml rename to test/resources/resource_validate_selinux_context.yaml diff --git a/test/scenarios/resources/resource_validate_sysctl_configs.yaml b/test/resources/resource_validate_sysctl_configs.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_sysctl_configs.yaml rename to test/resources/resource_validate_sysctl_configs.yaml diff --git a/test/scenarios/resources/resource_validate_volume_whitelist.yaml b/test/resources/resource_validate_volume_whitelist.yaml similarity index 100% rename from test/scenarios/resources/resource_validate_volume_whitelist.yaml rename to test/resources/resource_validate_volume_whitelist.yaml diff --git a/test/scenarios/resources/trusted_image_registries.yaml b/test/resources/trusted_image_registries.yaml similarity index 100% rename from test/scenarios/resources/trusted_image_registries.yaml rename to test/resources/trusted_image_registries.yaml diff --git a/test/scenarios/mutate/policy_mutate_imagePullPolicy.yaml b/test/scenarios/mutate/policy_mutate_imagePullPolicy.yaml deleted file mode 100644 index f832f01fd1..0000000000 --- a/test/scenarios/mutate/policy_mutate_imagePullPolicy.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: image-pull-policy -spec: - rules: - - name: image-pull-policy - match: - resources: - kinds: - - Deployment - selector: - matchLabels: - app : nginxlatest - exclude: - resources: - kinds: - - DaemonSet - mutate: - overlay: - spec: - template: - spec: - containers: - # select images which end with :latest - - (image): "*latest" - # require that the imagePullPolicy is "IfNotPresent" - imagePullPolicy: IfNotPresent diff --git a/test/scenarios/test/scenario_mutate_endPpoint.yaml b/test/scenarios/other/scenario_mutate_endpoint.yaml similarity index 76% rename from test/scenarios/test/scenario_mutate_endPpoint.yaml rename to test/scenarios/other/scenario_mutate_endpoint.yaml index cf8f9a828a..4a395a8a39 100644 --- a/test/scenarios/test/scenario_mutate_endPpoint.yaml +++ b/test/scenarios/other/scenario_mutate_endpoint.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: test/scenarios/mutate/policy_mutate_endpoint.yaml - resource: test/scenarios/resources/resource_mutate_endpoint.yaml + policy: test/policy/mutate/policy_mutate_endpoint.yaml + resource: test/resources/resource_mutate_endpoint.yaml expected: mutation: patchedresource: test/output/output_mutate_endpoint.yaml diff --git a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml b/test/scenarios/other/scenario_mutate_pod_disable_automountingapicred.yaml similarity index 100% rename from test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml rename to test/scenarios/other/scenario_mutate_pod_disable_automountingapicred.yaml diff --git a/test/scenarios/test/scenario_mutate_validate_qos.yaml b/test/scenarios/other/scenario_mutate_validate_qos.yaml similarity index 85% rename from test/scenarios/test/scenario_mutate_validate_qos.yaml rename to test/scenarios/other/scenario_mutate_validate_qos.yaml index aee6a83a9f..5fce2dfbd8 100644 --- a/test/scenarios/test/scenario_mutate_validate_qos.yaml +++ b/test/scenarios/other/scenario_mutate_validate_qos.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: test/scenarios/mutate/policy_mutate_validate_qos.yaml - resource: test/scenarios/resources/resource_mutate_validate_qos.yaml + policy: test/policy/mutate/policy_mutate_validate_qos.yaml + resource: test/resources/resource_mutate_validate_qos.yaml expected: mutation: patchedresource: test/output/output_mutate_validate_qos.yaml diff --git a/test/scenarios/test/scenario_validate_default_proc_mount.yaml b/test/scenarios/other/scenario_validate_default_proc_mount.yaml similarity index 74% rename from test/scenarios/test/scenario_validate_default_proc_mount.yaml rename to test/scenarios/other/scenario_validate_default_proc_mount.yaml index 741cf9f96f..d618de9c91 100644 --- a/test/scenarios/test/scenario_validate_default_proc_mount.yaml +++ b/test/scenarios/other/scenario_validate_default_proc_mount.yaml @@ -1,8 +1,8 @@ # file path relative to project root input: - policy: test/scenarios/validate/policy_validate_default_proc_mount.yaml - resource: test/scenarios/resources/resource_validate_default_proc_mount.yaml + policy: test/policy/validate/policy_validate_default_proc_mount.yaml + resource: test/resources/resource_validate_default_proc_mount.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml similarity index 76% rename from test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml rename to test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml index 8de632a926..c284481738 100644 --- a/test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml +++ b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: test/scenarios/validate/policy_validate_disallow_default_serviceaccount.yaml - resource: test/scenarios/resources/resource_validate_disallow_default_serviceaccount.yaml + policy: test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml + resource: test/resources/resource_validate_disallow_default_serviceaccount.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_healthChecks.yaml b/test/scenarios/other/scenario_validate_healthChecks.yaml similarity index 81% rename from test/scenarios/test/scenario_validate_healthChecks.yaml rename to test/scenarios/other/scenario_validate_healthChecks.yaml index 2fedef955c..3e433dc80c 100644 --- a/test/scenarios/test/scenario_validate_healthChecks.yaml +++ b/test/scenarios/other/scenario_validate_healthChecks.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: test/scenarios/validate/policy_validate_healthChecks.yaml - resource: test/scenarios/resources/resource_validate_healthChecks.yaml + policy: test/policy/validate/policy_validate_healthChecks.yaml + resource: test/resources/resource_validate_healthChecks.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_selinux_context.yaml b/test/scenarios/other/scenario_validate_selinux_context.yaml similarity index 78% rename from test/scenarios/test/scenario_validate_selinux_context.yaml rename to test/scenarios/other/scenario_validate_selinux_context.yaml index 9bad8b9443..9c2da7978d 100644 --- a/test/scenarios/test/scenario_validate_selinux_context.yaml +++ b/test/scenarios/other/scenario_validate_selinux_context.yaml @@ -1,8 +1,8 @@ # file path relative to project root input: - policy: test/scenarios/validate/policy_validate_selinux_context.yaml - resource: test/scenarios/resources/resource_validate_selinux_context.yaml + policy: test/policy/validate/policy_validate_selinux_context.yaml + resource: test/resources/resource_validate_selinux_context.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_volume_whiltelist.yaml b/test/scenarios/other/scenario_validate_volume_whiltelist.yaml similarity index 74% rename from test/scenarios/test/scenario_validate_volume_whiltelist.yaml rename to test/scenarios/other/scenario_validate_volume_whiltelist.yaml index 362c122638..b10b7e72ce 100644 --- a/test/scenarios/test/scenario_validate_volume_whiltelist.yaml +++ b/test/scenarios/other/scenario_validate_volume_whiltelist.yaml @@ -1,8 +1,8 @@ # file path relative to project root input: - policy: test/scenarios/validate/policy_validate_volume_whitelist.yaml - resource: test/scenarios/resources/resource_validate_volume_whitelist.yaml + policy: test/policy/validate/policy_validate_volume_whitelist.yaml + resource: test/resources/resource_validate_volume_whitelist.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_generate_networkPolicy.yaml b/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml similarity index 89% rename from test/scenarios/test/scenario_generate_networkPolicy.yaml rename to test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml index e84bf60c9c..37e7910092 100644 --- a/test/scenarios/test/scenario_generate_networkPolicy.yaml +++ b/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/require_default_network_policy.yaml - resource: test/scenarios/resources/require_default_network_policy.yaml + resource: test/resources/require_default_network_policy.yaml expected: generation: generatedResources: diff --git a/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml similarity index 91% rename from test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml rename to test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml index d186f35fb3..c0450c2833 100644 --- a/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml +++ b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/require_image_tag_not_latest.yaml - resource: test/scenarios/resources/require_image_tag_not_latest_deny.yaml + resource: test/resources/require_image_tag_not_latest_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml similarity index 88% rename from test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml rename to test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml index 8f14172888..69175f9db0 100644 --- a/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml +++ b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/require_image_tag_not_latest.yaml - resource: test/scenarios/resources/resource_validate_image_tag_latest_pass.yaml + resource: test/resources/resource_validate_image_tag_latest_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_deny_runasrootuser.yaml b/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml similarity index 88% rename from test/scenarios/test/scenario_validate_deny_runasrootuser.yaml rename to test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml index dba91d3b7c..5d8fc2c996 100644 --- a/test/scenarios/test/scenario_validate_deny_runasrootuser.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/deny_runasrootuser.yaml - resource: test/scenarios/resources/deny_runasrootuser.yaml + resource: test/resources/deny_runasrootuser.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml similarity index 87% rename from test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml rename to test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml index 325528c978..6fed418a3c 100644 --- a/test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_automountingapicred.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/disallow_automountingapicred.yaml - resource: test/scenarios/resources/disallow_automountingapicred.yaml + resource: test/resources/disallow_automountingapicred.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_disallow_default_namespace.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml similarity index 92% rename from test/scenarios/test/scenario_validate_disallow_default_namespace.yaml rename to test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml index 5b1ef55522..676146547f 100644 --- a/test/scenarios/test/scenario_validate_disallow_default_namespace.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_default_namespace.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/disallow_default_namespace.yaml - resource: test/scenarios/resources/disallow_default_namespace.yaml + resource: test/resources/disallow_default_namespace.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml similarity index 89% rename from test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml rename to test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml index 2f989fdbf4..1c3925207f 100644 --- a/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/disallow_host_filesystem.yaml - resource: test/scenarios/resources/disallow_host_filesystem.yaml + resource: test/resources/disallow_host_filesystem.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml similarity index 86% rename from test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml rename to test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml index bd6389a973..72a4227add 100644 --- a/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/disallow_host_filesystem.yaml - resource: test/scenarios/resources/disallow_host_filesystem_pass.yaml + resource: test/resources/disallow_host_filesystem_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml similarity index 89% rename from test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml rename to test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml index 9fab140f66..36ecb6ab6a 100644 --- a/test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_network_hostport.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/disallow_host_network_hostport.yaml - resource: test/scenarios/resources/disallow_host_network_hostport.yaml + resource: test/resources/disallow_host_network_hostport.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_disallow_hostpid_hostipc.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml similarity index 90% rename from test/scenarios/test/scenario_validate_disallow_hostpid_hostipc.yaml rename to test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml index 45bc1ae9fa..9f77be8bfa 100644 --- a/test/scenarios/test/scenario_validate_disallow_hostpid_hostipc.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/disallow_hostpid_hostipc.yaml - resource: test/scenarios/resources/disallow_hostpid_hostipc.yaml + resource: test/resources/disallow_hostpid_hostipc.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_disallow_node_port.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml similarity index 83% rename from test/scenarios/test/scenario_validate_disallow_node_port.yaml rename to test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml index d0b6a8aea6..8302038788 100644 --- a/test/scenarios/test/scenario_validate_disallow_node_port.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml @@ -1,8 +1,6 @@ - -# file path relative to project root input: policy: samples/best_practices/disallow_node_port.yaml - resource: test/scenarios/resources/disallow_node_port.yaml + resource: test/resources/disallow_node_port.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_disallow_priviledged_privelegesecalation.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml similarity index 90% rename from test/scenarios/test/scenario_validate_disallow_priviledged_privelegesecalation.yaml rename to test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml index 86db1fdc17..aa56a958b9 100644 --- a/test/scenarios/test/scenario_validate_disallow_priviledged_privelegesecalation.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_priviledged_privelegesecalation.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/disallow_priviledged_priviligedescalation.yaml - resource: test/scenarios/resources/disallow_priviledged_priviligedescalation.yaml + resource: test/resources/disallow_priviledged_priviligedescalation.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_nonRootUser.yaml b/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml similarity index 90% rename from test/scenarios/test/scenario_validate_nonRootUser.yaml rename to test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml index 6f517cbe0f..6f6e9497b8 100644 --- a/test/scenarios/test/scenario_validate_nonRootUser.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/policy_validate_deny_runasrootuser.yaml - resource: test/scenarios/resources/resource_validate_nonRootUser.yaml + resource: test/resources/resource_validate_nonRootUser.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_probes.yaml b/test/scenarios/samples/best_practices/scenario_validate_probes.yaml similarity index 90% rename from test/scenarios/test/scenario_validate_probes.yaml rename to test/scenarios/samples/best_practices/scenario_validate_probes.yaml index 782bbb3d85..eeccb89f3c 100644 --- a/test/scenarios/test/scenario_validate_probes.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_probes.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/require_probes.yaml - resource: test/scenarios/resources/require_probes.yaml + resource: test/resources/require_probes.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_require_namespace_quota.yaml b/test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml similarity index 90% rename from test/scenarios/test/scenario_validate_require_namespace_quota.yaml rename to test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml index 44565c17d6..e2e37b43a0 100644 --- a/test/scenarios/test/scenario_validate_require_namespace_quota.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/require_namespace_quota.yaml - resource: test/scenarios/resources/require_namespace_quota.yaml + resource: test/resources/require_namespace_quota.yaml expected: generation: generatedResources: diff --git a/test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml b/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml similarity index 89% rename from test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml rename to test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml index 1e6bac0901..cc1c3d0cf8 100644 --- a/test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_require_pod_requests_limits.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/require_pod_requests_limits.yaml - resource: test/scenarios/resources/require_pod_requests_limits.yaml + resource: test/resources/require_pod_requests_limits.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_require_readonly_rootfilesystem.yaml b/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml similarity index 90% rename from test/scenarios/test/scenario_validate_require_readonly_rootfilesystem.yaml rename to test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml index 06c458b864..af3d3e5c5b 100644 --- a/test/scenarios/test/scenario_validate_require_readonly_rootfilesystem.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/require_readonly_rootfilesystem.yaml - resource: test/scenarios/resources/require_readonly_rootfilesystem.yaml + resource: test/resources/require_readonly_rootfilesystem.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_trusted_image_registries.yaml b/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml similarity index 87% rename from test/scenarios/test/scenario_validate_trusted_image_registries.yaml rename to test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml index 5ab6aaa4a8..0adf0564c1 100644 --- a/test/scenarios/test/scenario_validate_trusted_image_registries.yaml +++ b/test/scenarios/samples/best_practices/scenario_validate_trusted_image_registries.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: samples/best_practices/trusted_image_registries.yaml - resource: test/scenarios/resources//trusted_image_registries.yaml + resource: test/resources//trusted_image_registries.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_container_capabilities.yaml b/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml similarity index 88% rename from test/scenarios/test/scenario_validate_container_capabilities.yaml rename to test/scenarios/samples/more/scenario_validate_container_capabilities.yaml index 4a71464851..fb2805f92b 100644 --- a/test/scenarios/test/scenario_validate_container_capabilities.yaml +++ b/test/scenarios/samples/more/scenario_validate_container_capabilities.yaml @@ -2,7 +2,7 @@ # file path relative to project root input: policy: samples/more/policy_validate_container_capabilities.yaml - resource: test/scenarios/resources/resource_validate_container_capabilities.yaml + resource: test/resources/resource_validate_container_capabilities.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_fsgroup.yaml b/test/scenarios/samples/more/scenario_validate_fsgroup.yaml similarity index 92% rename from test/scenarios/test/scenario_validate_fsgroup.yaml rename to test/scenarios/samples/more/scenario_validate_fsgroup.yaml index abd425b18f..c262e3b84b 100644 --- a/test/scenarios/test/scenario_validate_fsgroup.yaml +++ b/test/scenarios/samples/more/scenario_validate_fsgroup.yaml @@ -2,7 +2,7 @@ # file path relative to project root input: policy: samples/more/policy_validate_user_group_fsgroup_id.yaml - resource: test/scenarios/resources/resource_validate_fsgroup.yaml + resource: test/resources/resource_validate_fsgroup.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_sysctl_configs.yaml b/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml similarity index 88% rename from test/scenarios/test/scenario_validate_sysctl_configs.yaml rename to test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml index 8973c33886..1f217f4ff0 100644 --- a/test/scenarios/test/scenario_validate_sysctl_configs.yaml +++ b/test/scenarios/samples/more/scenario_validate_sysctl_configs.yaml @@ -2,7 +2,7 @@ # file path relative to project root input: policy: samples/more/policy_validate_sysctl_configs.yaml - resource: test/scenarios/resources/resource_validate_sysctl_configs.yaml + resource: test/resources/resource_validate_sysctl_configs.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml deleted file mode 100644 index c90e20be7f..0000000000 --- a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# file path relative to project root -input: - policy: test/scenarios/mutate/policy_mutate_imagePullPolicy.yaml - resource: test/scenarios/resources/resource_mutate_imagePullPolicy.yaml -expected: - mutation: - patchedresource: test/output/output_mutate_imagePullPolicy.yaml - policyresponse: - policy: image-pull-policy - resource: - kind: Deployment - apiVersion: apps/v1 - namespace: '' - name: nginx-deployment - rules: - - name: image-pull-policy - type: Mutation - success: true - message: succesfully process overlay diff --git a/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml b/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml deleted file mode 100644 index 29d906629f..0000000000 --- a/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# file path relative to project root -input: - policy: samples/best_practices/require_image_tag_not_latest.yaml - resource: test/scenarios/resources/require_image_tag_not_latest_notag.yaml -expected: - validation: - policyresponse: - policy: validate-image-tag - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: myapp-pod - rules: - - name: image-tag-notspecified - type: Validation - message: Validation rule 'image-tag-notspecified' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. Image tag not specified - success: false - - name: image-tag-not-latest - type: Validation - message: Validation rule 'image-tag-not-latest' succesfully validated - success: true diff --git a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml deleted file mode 100644 index dbe40b1a8b..0000000000 --- a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# file path relative to project root -input: - policy: test/scenarios/validate/policy_validate_containerSecurityContext.yaml - resource: test/scenarios/resources/resource_validate_containerSecurityContext.yaml -expected: - validation: - policyresponse: - policy: container-security-context - resource: - kind: Deployment - apiVersion: apps/v1 - namespace: '' - name: csc-demo-unprivileged - rules: - - name: validate-user-privilege - type: Validation - message: Validation rule 'validate-user-privilege' succesfully validated - success: true \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_container_disallow_priviledgedprivelegesecalation.yaml b/test/scenarios/test/scenario_validate_container_disallow_priviledgedprivelegesecalation.yaml deleted file mode 100644 index feb5171a26..0000000000 --- a/test/scenarios/test/scenario_validate_container_disallow_priviledgedprivelegesecalation.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# file path relative to project root -input: - policy: samples/best_practices/disallow_priviledged_priviligedescalation.yaml - resource: test/scenarios/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml -expected: - validation: - policyresponse: - policy: validate-deny-privileged-disallowpriviligedescalation - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: check-privileged-cfg - rules: - - name: deny-privileged-disallowpriviligedescalation - type: Validation - message: "Validation rule 'deny-privileged-disallowpriviligedescalation' failed to validate patterns defined in anyPattern. Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false; anyPattern[0] failed at path /spec/securityContext/; anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/" - success: false - diff --git a/test/scenarios/test/scenario_validate_default_namespace.yaml b/test/scenarios/test/scenario_validate_default_namespace.yaml deleted file mode 100644 index b4ff1d466e..0000000000 --- a/test/scenarios/test/scenario_validate_default_namespace.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# file path relative to project root -input: - policy: samples/best_practices/disallow_default_namespace.yaml - resource: test/scenarios/resources/resource_default_namespace.yaml -expected: - validation: - policyresponse: - policy: validate-namespace - resource: - kind: Pod - apiVersion: v1 - # this is set to pass resource NS check - # actual valiation is defined through rule success=false - namespace: 'default' - name: myapp-pod - rules: - - name: check-default-namespace - type: Validation - message: "Validation rule 'check-default-namespace' failed at '/metadata/namespace/' for resource Pod/default/myapp-pod. A none 'default' namespace is required" - success: false - - name: check-namespace-exist - type: Validation - message: "Validation rule 'check-namespace-exist' succesfully validated" - success: true - diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml deleted file mode 100644 index dd32776dd9..0000000000 --- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# file path relative to project root -input: - policy: test/scenarios/validate/policy_validate_image_pullpolicy_notalways_deny.yaml - resource: test/scenarios/resources/resource_validate_image_pullpolicy_notalways_deny.yaml -expected: - validation: - policyresponse: - policy: validate-image-pullpolicy-notalways - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: myapp-pod - rules: - - name: image-pullpolicy-notalways - type: Validation - message: "Validation rule 'image-pullpolicy-notalways' failed at '/spec/containers/0/imagePullPolicy/' for resource Pod//myapp-pod. image pull policy 'Always' forbidden" - success: false diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml deleted file mode 100644 index 1cb098d63b..0000000000 --- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# file path relative to project root -input: - policy: test/scenarios/validate/policy_validate_image_pullpolicy_notalways_deny.yaml - resource: test/scenarios/resources/resource_validate_image_pullpolicy_notalways_pass.yaml -expected: - validation: - policyresponse: - policy: validate-image-pullpolicy-notalways - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: myapp-pod - rules: - - name: image-pullpolicy-notalways - type: Validation - message: "Validation rule 'image-pullpolicy-notalways' succesfully validated" - success: true diff --git a/test/scenarios/validate/policy_validate_containerSecurityContext.yaml b/test/scenarios/validate/policy_validate_containerSecurityContext.yaml deleted file mode 100644 index b2e5989766..0000000000 --- a/test/scenarios/validate/policy_validate_containerSecurityContext.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: container-security-context -spec: - rules: - - name: validate-user-privilege - match: - resources: - kinds: - - Deployment - selector : - matchLabels: - app.type: prod - validate: - message: "validate container security contexts" - pattern: - spec: - template: - spec: - containers: - - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - # fields can be customized - # privileged: false - # readOnlyRootFilesystem: true diff --git a/test/scenarios/validate/policy_validate_image_pullpolicy_notalways_deny.yaml b/test/scenarios/validate/policy_validate_image_pullpolicy_notalways_deny.yaml deleted file mode 100644 index afe14d572f..0000000000 --- a/test/scenarios/validate/policy_validate_image_pullpolicy_notalways_deny.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-image-pullpolicy-notalways -spec: - rules: - - name: image-pullpolicy-notalways - match: - resources: - kinds: - - Pod - validate: - message: "image pull policy 'Always' forbidden" - pattern: - spec: - containers: - - imagePullPolicy: "!Always"