initial clean up

examples/best_practices/README.md

@@ -1,27 +0,0 @@
-# Best Practice Policies
-
-| Best practice                                  | Policy                             |             scenario|
-|------------------------------------------------|------------------------------------|---------------------|
-| Run as non-root user                           | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml)                  |     best_practices            |
-| Disallow automount api credentials                           | []()                  |     best_practices            |
-| Disallow privileged and privilege escalation   | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml)             |      best_practices            |
-| Disallow use of host networking and ports      |  [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml)             |        best_practices            |
-| Disallow use of host filesystem                |  [policy_validate_host_path.yaml](policy_validate_host_path.yaml)                                                                                            |
-| Disallow hostPID and hostIPC                   |  [policy_validate_hostpid_hosipc.yaml](policy_validate_hostpid_hosipc.yaml)                                                      |      best_practices            |
-| Require read only root filesystem              | [policy_validate_not_readonly_rootfilesystem.yaml](policy_validate_not_readonly_rootfilesystem.yaml)                     |      best_practices            |
-| Disallow node ports                            | [policy_validate_disallow_node_port.yaml](policy_validate_disallow_node_port.yaml)                           |      best_practices            |
-| Allow trusted registries                       | [policy_validate_whitelist_image_registries.yaml](policy_validate_whitelist_image_registries.yaml)                                                                               |     best_practices            |
-| Require resource requests and limits           | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml)                                           |      best_practices            |
-| Require pod liveness and readiness probes      | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml)                                            |     best_practices            |
-| Require an image tag                           | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml)                                                         |   best_practices            |
-| Disallow latest tag and pull IfNotPresent      | [policy_validate_image_latest_ifnotpresent_deny.yaml](policy_validate_image_latest_ifnotpresent_deny.yaml)                                                   |
-| Require a namespace (disallow default)         | [policy_validate_default_namespace.yaml](policy_validate_default_namespace.yaml)                                                                     |     best_practices            |
-| Prevent mounting of default service account    | [policy_validate_disallow_default_serviceaccount.yaml](policy_validate_disallow_default_serviceaccount.yaml)                                                                      |
-| Require a default network policy               | [policy_validate_default_network_policy.yaml](policy_validate_default_network_policy.yaml)                                                                      |   best_practices            |
-| Require namespace quotas and limit ranges      | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml)                                                                      |     best_practices            |
-| Allow an FSGroup that owns the pod's volumes      | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml)                                                                      |
-| Require SELinux level of the container      | [policy_validate_selinux_context.yaml](policy_validate_selinux_context.yaml)                                                                      |
-| Allow default Proc Mount type      | [policy_validate_default_proc_mount.yaml](policy_validate_default_proc_mount.yaml)                                                                      |
-| Allow certain capability to be added      | [policy_validate_container_capabilities.yaml](policy_validate_container_capabilities.yaml)                                                                      |
-| Allow local tcp/udp port range      | [policy_validate_sysctl_configs.yaml](policy_validate_sysctl_configs.yaml)                                                                      |
-| Allowed volume plugins      | [policy_validate_volume_whitelist.yaml](policy_validate_volume_whitelist.yaml)                                                                      |

examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml

@@ -1,29 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-deny-privileged-disallowpriviligedescalation
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: deny-privileged-disallowpriviligedescalation
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
-      anyPattern:
-      - spec:
-          securityContext:
-            allowPrivilegeEscalation: false
-            privileged: false
-      - spec:
-          containers:
-          - name: "*"
-            securityContext:
-              allowPrivilegeEscalation: false
-              privileged: false    

examples/best_practices/policy_validate_default_namespace.yaml

@@ -1,26 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-namespace
-spec:
-  rules:
-  - name: check-default-namespace
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "A none 'default' namespace is required"
-      pattern:
-        metadata:
-          namespace: "!default"
-  - name: check-namespace-exist
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "A namespace is required"
-      pattern:
-        metadata:
-          namespace: "?*"

examples/best_practices/policy_validate_default_network_policy.yaml

@@ -1,28 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: defaultgeneratenetworkpolicy
-spec:
-  rules:
-  - name: "default-networkpolicy"
-    match:
-      resources: 
-        kinds:
-        - Namespace
-        name: "devtest"
-    generate: 
-      kind: NetworkPolicy
-      name: defaultnetworkpolicy
-      data:
-        spec:
-          # select all pods in the namespace
-          podSelector: {}
-          policyTypes: 
-          - Ingress
-          - Egress
-          # allow all ingress traffic from pods within this namespace
-          ingress:
-          - {}
-          # allow all egress traffic
-          egress:
-          - {}

examples/best_practices/policy_validate_deny_runasrootuser.yaml

@@ -1,27 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-deny-runasrootuser
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: deny-runasrootuser
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Root user is not allowed. Set runAsNonRoot to true."
-      anyPattern:
-      - spec:
-          securityContext:
-            runAsNonRoot: true
-      - spec:
-          containers:
-          - name: "*"
-            securityContext:
-              runAsNonRoot: true

examples/best_practices/policy_validate_disallow_node_port.yaml

@@ -1,21 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: disallow-node-port
-spec:
-  rules:
-  - name: disallow-node-port
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Service
-    validate:
-      message: "Disallow service of type NodePort"
-      pattern: 
-        spec:
-          type: "!NodePort"
-

examples/best_practices/policy_validate_host_network_port.yaml

@@ -1,20 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-host-network-hostport
-spec:
-  rules:
-  - name: validate-host-network-hostport
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "hostNetwork and hostPort are not allowed"
-      pattern:
-        spec:
-          hostNetwork: false
-          containers:
-          - name: "*"
-            ports:
-            - hostPort: null

examples/best_practices/policy_validate_hostpid_hosipc.yaml

@@ -1,21 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-hostpid-hostipc
-spec:
-  rules:
-  - name: validate-hostpid-hostipc
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Disallow use of host's pid namespace and host's ipc namespace"
-      pattern:
-        spec:
-          (hostPID): "!true"
-          hostIPC: false

examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml

@@ -1,18 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-image
-spec:
-  rules:
-  - name: validate-tag
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "imagePullPolicy 'IfNotPresent' forbidden with image tag 'latest'"    
-      pattern:
-        spec:
-          containers:
-          - (image): "*:latest"
-            imagePullPolicy: "!IfNotPresent"

examples/best_practices/policy_validate_image_tag.yaml

@@ -1,29 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-image
-spec:
-  rules:
-  - name: validate-tag
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "An image tag is required"    
-      pattern:
-        spec:
-          containers:
-          - image: "*:*"  
-  - name: validate-latest
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "imagePullPolicy 'Always' required with tag 'latest'"    
-      pattern:
-        spec:
-          containers:
-          - (image): "*latest"
-            imagePullPolicy: Always

examples/best_practices/policy_validate_image_tag_latest_deny.yaml

@@ -1,17 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-image-tag-notlatest
-spec:
-  rules:
-  - name: image-tag-notlatest
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "image tag 'latest' forbidden"  
-      pattern:
-        spec:
-          containers:
-          - image: "!*:latest"

examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml

@@ -1,17 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-image-tag-notspecified
-spec:
-  rules:
-  - name: image-tag-notspecified
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "image tag not specified"  
-      pattern:
-        spec:
-          containers:
-          - image: "*:*"

examples/best_practices/policy_validate_namespace_quota.yaml

@@ -1,20 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-namespace-quota
-spec:
-  rules:
-  - name: validate-namespace-quota
-    match:
-      resources:
-        kinds:
-        - Namespace
-    generate:
-      kind: ResourceQuota
-      name: "defaultresourcequota"
-      spec:
-        hard:
-          requests.cpu: "*"
-          requests.memory: "*"
-          limits.cpu: "*"
-          limits.memory: "*"

examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml

@@ -1,22 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-not-readonly-rootfilesystem
-spec:
-  rules:
-  - name: validate-not-readonly-rootfilesystem
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Container should not have read-only rootfilesystem"
-      pattern:
-        spec:
-          containers:
-          - securityContext:
-              readOnlyRootFilesystem: false

examples/best_practices/policy_validate_pod_probes.yaml

@@ -1,25 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-probes
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: check-probes
-    match:
-      resources:
-        kinds:
-        - Pod
-    # exclude:
-    #   namespaces:
-    #     - kube-system
-    validate:
-      message: "Liveness and readiness probes are required"
-      pattern:
-        spec:
-          containers:
-            livenessProbe:
-              periodSeconds: ">0"      
-            readinessProbe:
-              periodSeconds: ">0"
-

examples/best_practices/policy_validate_whitelist_image_registries.yaml

@@ -1,20 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-image-registry
-spec:
-  rules:
-  - name: validate-image-registry
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "White list of image registries"
-      anyPattern:
-      - spec:
-          containers:
-          - image: "https://private.registry.io/*"
-      - spec:
-          containers:
-          - image: "*nirmata*"

examples/best_practices/resources/nginx-deployment.yaml

@@ -1,19 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx
-  labels: 
-    app: "nirmata-nginx"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: nginx
-  template:
-    metadata:
-      labels:
-        app: nginx
-    spec:
-      containers:
-      - name: nginx
-        image: nginx:latest

examples/best_practices/resources/policy_validate_pod_resources.yaml

@@ -1,26 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: check-resources
-spec:
-  # validationFailureAction: "audit"
-  rules:
-  - name: check-pod-resources
-    message: "CPU and memory resource requests and limits are required"
-    match:
-      resources:
-        kinds:
-        - Pod
-        name: myapp-pod
-    validate:
-      pattern:
-        spec:
-          containers:
-          - name: "*"
-            resources:
-              requests:
-                memory: "?*"
-                cpu: "?*"
-              limits:
-                memory: "?*"
-                cpu: "?*"

examples/best_practices/resources/resource_validate_host_path.yaml

@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: image-with-hostpath
-  labels:
-    app.type: prod
-    namespace: "my-namespace"
-spec:
-  containers:
-  - name: image-with-hostpath
-    image: docker.io/nautiker/curl
-    volumeMounts:
-    - name: var-lib-etcd
-      mountPath: /var/lib
-  volumes:
-  - name: var-lib-etcd
-    hostPath:
-      path: /var/lib

examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: myapp-pod
-  labels:
-    app: myapp
-spec: 
-  containers:
-  - name: nginx
-    image: nginx:latest
-    imagePullPolicy: IfNotPresent

examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: myapp-pod
-  labels:
-    app: myapp
-spec: 
-  containers:
-  - name: nginx
-    image: nginx:1.12
-    imagePullPolicy: IfNotPresent

examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: myapp-pod
-  labels:
-    app: myapp
-spec: 
-  containers:
-  - name: nginx
-    image: nginx:latest

examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: myapp-pod
-  labels:
-    app: myapp
-spec: 
-  containers:
-  - name: nginx
-    image: nginx

examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: myapp-pod
-  labels:
-    app: myapp
-spec: 
-  containers:
-  - name: nginx
-    image: nginx:latest

examples/best_practices/resources/resource_validate_namespace_quota.yaml

@@ -1,4 +0,0 @@
-kind: Namespace
-apiVersion: v1
-metadata: 
-    name: "test-namespace-quota"

examples/best_practices/resources/resource_validate_nonRootUser.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: sec-ctx-unprivileged
-spec:
-  # securityContext:
-  #   runAsNonRoot: true
-  containers:
-  - name: imagen-with-hostpath
-    image: nginxinc/nginx-unprivileged

examples/best_practices/resources/resource_validate_pod_resources.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: myapp-pod
-  labels:
-    app: myapp
-spec: 
-  containers:
-  - name: nginx
-    image: nginx

examples/best_practices/resources/resource_validate_whitelist_image_registries.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: nirmata-nginx
-spec:
-  containers:
-  - name: nirmata-nginx
-    image: nirmata/nginx

pkg/testrunner/testrunner_test.go

@@ -30,10 +30,6 @@ func Test_validate_healthChecks(t *testing.T) {
 	testScenario(t, "/test/scenarios/test/scenario_validate_healthChecks.yaml")
 }
 
-func Test_validate_imageRegistries(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_validate_imageRegistries.yaml")
-}
-
 func Test_validate_nonRootUsers(t *testing.T) {
 	testScenario(t, "/test/scenarios/test/scenario_validate_nonRootUser.yaml")
 }
@@ -43,14 +39,6 @@ func Test_generate_networkPolicy(t *testing.T) {
 }
 
 // namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver
-func Test_validate_image_latest_ifnotpresent_deny(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml")
-
-}
-
-func Test_validate_image_latest_ifnotpresent_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml")
-}
 
 func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml")
@@ -80,10 +68,6 @@ func Test_validate_disallow_default_namespace(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_disallow_default_namespace.yaml")
 }
 
-func Test_validate_host_path(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_host_path.yaml")
-}
-
 func Test_validate_host_network_port(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml")
 }

test/cli/cli/p1.yaml

@@ -1,27 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: Policy
-metadata:
-  name: check-cpu-memory
-spec:
-  rules:
-  - name: check-pod-resources
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "CPU and memory resource requests and limits are required"
-      pattern:
-        spec:
-          containers:
-          # 'name: *' selects all containers in the pod
-          - name: "*"
-            resources:
-              limits:
-                # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.
-                # Using them together e.g. '?*' requires at least one character. 
-                memory: "?*"
-                cpu: "?*"
-              requests:
-                memory: "?*"
-                cpu: "?*"

test/cli/cli/pv1.yaml

@@ -1,32 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: PolicyViolation
-metadata:
-  name: pv1
-spec:
-  policy: check-cpu-memory
-  resource: 
-    kind: Pod
-    namespace: ""
-    name: pod1
-  rules:
-  - name: r1
-    type: Mutation
-    status: Failed
-    message: test mesaage for rule failure
----
-apiVersion: kyverno.io/v1alpha1
-kind: PolicyViolation
-metadata:
-  name: pv2
-spec:
-  policy: check-cpu-memory
-  resource: 
-    kind: Pod
-    namespace: ""
-    name: pod1
-  rules:
-  - name: r1
-    type: Mutation
-    status: Failed
-    message: test mesaage for rule failure
----

test/mix/nginx.yaml

@@ -1,25 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx-deployment
-  labels:
-    app: nginx
-    cli: test
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: nginx
-  template:
-    metadata:
-      labels:
-        app: nginx
-    spec:
-      containers:
-      - name: nginx
-        image: nirmata/nginx:green
-        # imagePullPolicy: Always
-        ports:
-        - containerPort: 80
-      - name: nginx1
-        image: launcher.gcr.io/google/nginx1

test/mix/policy.yaml

@@ -1,86 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind : ClusterPolicy
-metadata :
-  name : policy-deployment
-spec :
-  rules:
-    - name: add-label
-      match:
-        resources:
-          kinds : 
-          - Deployment
-          selector :
-            matchLabels :
-              cli: test
-      mutate:
-        patches:
-        - path: /metadata/labels/isMutated
-          op: add
-          value: "true"
-        overlay:
-          spec:
-            template:
-              spec:
-                containers:
-                  # if the image nginx, set the imagePullPolicy to Always
-                  - (image): "*nginx*"
-                    imagePullPolicy: "Always"
-    - name: add-label2
-      match:
-        resources:
-          kinds : 
-          - Deployment
-          selector :
-            matchLabels :
-              cli: test
-      mutate:
-        patches:
-        - path: /metadata/labels/app1
-          op: replace
-          value: "nginx_is_mutated" 
-    - name: add-label3
-      match:
-        resources:
-          kinds : 
-          - Deployment
-          selector :
-            matchLabels :
-              cli: test
-      mutate:
-        patches:
-        - path: /metadata/labels/app2
-          op: add
-          value: "nginx_is_mutated2" 
-    - name: check-image
-      match:
-        resources:
-          kinds : 
-          - Deployment
-          selector :
-            matchLabels :
-              cli: test
-      validate:
-        message: "The imagePullPolicy must be Always when using image nginx"
-        pattern:
-          spec:
-            template:
-              spec:
-                containers:
-                - (image): "*nginx*"
-                  imagePullPolicy: "Always"
-    - name: check-registries
-      match:
-        resources:
-          kinds:
-          - Deployment
-          - StatefulSet
-      validate:
-        message: "Registry is not allowed"
-        pattern:
-          spec:
-            template:
-              spec:
-                containers:
-                - name: "*"
-                  # Check allowed registries
-                  image: "*nirmata/* | launcher.gcr.io/*"

test/scenarios/cli/cli.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/cli/policy_deployment.yaml
+  policy: test/scenarios/cli/policy_deployment.yaml
-  resource: examples/cli/nginx.yaml
+  resource: test/scenarios/cli/nginx.yaml
 expected:
   passes: true
   mutation:
@@ -19,8 +19,8 @@ expected:
           - "Rule check-image: Validation succesfully."
 ---
 input:
-  policy: examples/cli/policy_deployment.yaml
+  policy:  test/scenarios/cli/policy_deployment.yaml
-  resource: examples/cli/ghost.yaml
+  resource: test/scenarios/cli/ghost.yaml
 expected:
   passes: true
   mutation:

test/scenarios/policy_generate_networkPolicy.yaml

@@ -1,28 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: defaultgeneratenetworkpolicy
-spec:
-  rules:
-  - name: "default-networkpolicy"
-    match:
-      resources: 
-        kinds:
-        - Namespace
-        name: "devtest"
-    generate: 
-      kind: NetworkPolicy
-      name: defaultnetworkpolicy
-      data:
-        spec:
-          # select all pods in the namespace
-          podSelector: {}
-          policyTypes: 
-          - Ingress
-          - Egress
-          # allow all ingress traffic from pods within this namespace
-          ingress:
-          - {}
-          # allow all egress traffic
-          egress:
-          - {}

test/scenarios/policy_validate_nonRootUser.yaml

@@ -1,27 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: check-container-security-context
-spec:
-  # validationFailureAction: "audit"
-  rules:
-  - name: check-root-user
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Root user is not allowed. Set runAsNonRoot to true."
-      anyPattern:
-        - spec:
-            securityContext:
-              runAsNonRoot: true
-        - spec:
-            containers:
-            - name: "*"
-              securityContext:
-                runAsNonRoot: true

test/scenarios/query/resource_lb1.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: lb1
-  namespace: test
-spec:
-  selector:
-    app: app
-  ports:
-    - port: 8765 # random
-      targetPort: 9376 # random
-  type: LoadBalancer

test/scenarios/query/resource_lb2.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: lb2
-  namespace: test
-spec:
-  selector:
-    app: app
-  ports:
-    - port: 8765 # random
-      targetPort: 9376 # random
-  type: LoadBalancer

test/scenarios/query/resource_ns_test.yaml

@@ -1,4 +0,0 @@
-kind: Namespace
-apiVersion: v1
-metadata: 
-    name: "test"

test/scenarios/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: check-privileged-cfg
+spec:
+  containers:
+  - name: check-privileged-cfg
+    image: nginxinc/nginx-unprivileged
+    securityContext:
+      allowPrivilegeEscalation: true
+      privileged: false

test/scenarios/test/s1.yaml

@@ -1,21 +0,0 @@
-# file path relative to project root
-input:
-  policy: examples/cli/policy_deployment.yaml
-  resource: examples/cli/nginx.yaml
-expected:
-  mutation:
-    patchedresource: test/output/nginx.yaml
-    policyresponse:
-      policy: policy-deployment
-      resource:
-        kind: Deployment
-        apiVersion: 'apps/v1'
-        namespace: ''
-        name: nginx-deployment
-      rules:
-        - name: add-label
-          type: Mutation
-          success: true
-          message: succesfully process JSON patches
-          # patches: `[{"path":"/metadata/labels/isMutated","op":"add","value":"true"},
-          #           {"path":"/metadata/labels/app","op":"replace","value":"nginx_is_mutated"}]`

test/scenarios/test/scenario_generate_networkPolicy.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_default_network_policy.yaml
-  resource: test/manifest/require_default_network_policy.yaml
+  resource: test/scenarios/resources/require_default_network_policy.yaml
 expected:
   generation:
     generatedResources:

test/scenarios/test/scenario_mutate_endPpoint.yaml

@@ -1,6 +1,6 @@
 # file path relative to project root
 input:
-  policy: test/scenarios/policy_mutate_endpoint.yaml
+  policy: test/scenarios/mutate/policy_mutate_endpoint.yaml
   resource: test/scenarios/resources/resource_mutate_endpoint.yaml
 expected:
   mutation:

test/scenarios/test/scenario_mutate_imagePullPolicy.yaml

@@ -1,6 +1,6 @@
 # file path relative to project root
 input:
-  policy: test/scenarios/policy_mutate_imagePullPolicy.yaml
+  policy: test/scenarios/mutate/policy_mutate_imagePullPolicy.yaml
   resource: test/scenarios/resources/resource_mutate_imagePullPolicy.yaml
 expected:
   mutation:

test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml
+  policy: test/scenarios/mutate/policy_mutate_pod_disable_automountingapicred.yaml
-  resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml
+  resource: test/scenarios/mutate/resource_mutate_pod_disable_automountingapicred.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml

test/scenarios/test/scenario_mutate_validate_qos.yaml

@@ -1,6 +1,6 @@
 # file path relative to project root
 input:
-  policy: test/scenarios/policy_mutate_validate_qos.yaml
+  policy: test/scenarios/mutate/policy_mutate_validate_qos.yaml
   resource: test/scenarios/resources/resource_mutate_validate_qos.yaml
 expected:
   mutation:

test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_image_tag_not_latest.yaml
-  resource: test/manifest/require_image_tag_not_latest_deny.yaml
+  resource: test/scenarios/resources/require_image_tag_not_latest_deny.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_image_tag_not_latest.yaml
-  resource: test/manifest/require_image_tag_not_latest_notag.yaml
+  resource: test/scenarios/resources/require_image_tag_not_latest_notag.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/require_image_tag_not_latest.yaml
-  resource: examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml
+  resource: test/scenarios/resources/resource_validate_image_tag_latest_pass.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_containerSecurityContext.yaml

@@ -1,6 +1,6 @@
 # file path relative to project root
 input:
-  policy: test/scenarios/policy_validate_containerSecurityContext.yaml
+  policy: test/scenarios/validate/policy_validate_containerSecurityContext.yaml
   resource: test/scenarios/resources/resource_validate_containerSecurityContext.yaml
 expected:
   validation:

test/scenarios/test/scenario_validate_container_capabilities.yaml

@@ -2,7 +2,7 @@
 # file path relative to project root
 input:
   policy: samples/additional/policy_validate_container_capabilities.yaml
-  resource: examples/best_practices/resources/resource_validate_container_capabilities.yaml
+  resource: test/scenarios/resources/resource_validate_container_capabilities.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_container_disallow_priviledgedprivelegesecalation.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
+  policy: samples/best_practices/disallow_priviledged_priviligedescalation.yaml
-  resource: examples/best_practices/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml
+  resource: test/scenarios/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_default_namespace.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_validate_default_namespace.yaml
+  policy: samples/best_practices/disallow_default_namespace.yaml
-  resource: examples/best_practices/resources/resource_default_namespace.yaml
+  resource: test/scenarios/resources/resource_default_namespace.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_default_proc_mount.yaml

@@ -1,8 +1,8 @@
 
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_validate_default_proc_mount.yaml
+  policy: test/scenarios/validate/policy_validate_default_proc_mount.yaml
-  resource: examples/best_practices/resources/resource_validate_default_proc_mount.yaml
+  resource: test/scenarios/resources/resource_validate_default_proc_mount.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_deny_runasrootuser.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/deny_runasrootuser.yaml
-  resource: test/manifest/deny_runasrootuser.yaml
+  resource: test/scenarios/resources/deny_runasrootuser.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_automountingapicred.yaml
-  resource: test/manifest/disallow_automountingapicred.yaml
+  resource: test/scenarios/resources/disallow_automountingapicred.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_disallow_default_namespace.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_default_namespace.yaml
-  resource: test/manifest/disallow_default_namespace.yaml
+  resource: test/scenarios/resources/disallow_default_namespace.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_validate_disallow_default_serviceaccount.yaml
+  policy: test/scenarios/validate/policy_validate_disallow_default_serviceaccount.yaml
-  resource: examples/best_practices/resources/resource_validate_disallow_default_serviceaccount.yaml
+  resource: test/scenarios/resources/resource_validate_disallow_default_serviceaccount.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_host_filesystem.yaml
-  resource: test/manifest/disallow_host_filesystem.yaml
+  resource: test/scenarios/resources/disallow_host_filesystem.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_host_filesystem.yaml
-  resource: test/manifest/disallow_host_filesystem_pass.yaml
+  resource: test/scenarios/resources/disallow_host_filesystem_pass.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_disallow_host_network_hostport.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_host_network_hostport.yaml
-  resource: test/manifest/disallow_host_network_hostport.yaml
+  resource: test/scenarios/resources/disallow_host_network_hostport.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_disallow_hostpid_hostipc.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:  
   policy: samples/best_practices/disallow_hostpid_hostipc.yaml
-  resource: test/manifest/disallow_hostpid_hostipc.yaml
+  resource: test/scenarios/resources/disallow_hostpid_hostipc.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_disallow_node_port.yaml

@@ -2,7 +2,7 @@
 # file path relative to project root
 input:
   policy: samples/best_practices/disallow_node_port.yaml
-  resource: test/manifest/disallow_node_port.yaml
+  resource: test/scenarios/resources/disallow_node_port.yaml
 expected:
   validation:
     policyresponse: