diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/README.md new file mode 100644 index 0000000000..cd39f0598d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/README.md @@ -0,0 +1,12 @@ +## Description + +This test verifies that context variables (APICalls, etc.) are lazily evaluated after pre-conditions are processed. + +## Expected Behavior + +The Ingress delete should be allowed. + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/4374 + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..01b7c33117 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-unique-host +spec: + failurePolicy: Fail + rules: + - context: + - name: requestIngressClass + variable: + jmesPath: request.object.metadata.annotations."kubernetes.io/ingress.class" + - apiCall: + jmesPath: items[?metadata.name != '{{ request.object.metadata.name }}'] + urlPath: /apis/networking.k8s.io/v1/ingresses + name: ingresses + match: + all: + - resources: + kinds: + - Ingress + name: unique-ingress-against-other-ingress-class + preconditions: + all: + - key: '{{ request.operation }}' + operator: AnyIn + value: + - CREATE + - UPDATE + validate: + deny: + conditions: + any: + - key: '{{ request.object.spec.rules[].host }}' + operator: AnyIn + value: '{{ingresses[?metadata.annotations."kubernetes.io/ingress.class" + != ''{{ request.object.metadata.annotations."kubernetes.io/ingress.class" + }}''].spec.rules[].host }}' + message: | + Ingress must have a unique hostname across different ingress classes + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 0000000000..bc351174ad --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-ingress diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 0000000000..0edc306785 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: nginx + name: my-app-ingress + namespace: test-ingress +spec: + rules: + - host: my-app.myorg.io + http: + paths: + - backend: + service: + name: my-app-deployment + port: + number: 80 + path: / + pathType: ImplementationSpecific diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..0c97fb1ab2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-unique-host +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-2.yaml new file mode 100755 index 0000000000..eba6ba8f30 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-2.yaml @@ -0,0 +1,5 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: my-app-ingress + namespace: test-ingress diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-test.yaml new file mode 100755 index 0000000000..511819c76c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: lazyload +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-2.yaml + - name: step-02 + try: + - delete: + ref: + apiVersion: networking.k8s.io/v1 + kind: Ingress + name: my-app-ingress + namespace: test-ingress diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/README.md new file mode 100644 index 0000000000..262855246f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/README.md @@ -0,0 +1,13 @@ +## Description + +This test checks a POST operation to the Kubernetes API server for a SubjectAccessReview. It checks for delete access to the namespace of the request, and allows or denies the request. + +## Expected Behavior + +The test resource should be allowed to be created in the test namespace but not in the `default` namespace, as Kyverno cannot delete it. + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/1717 + +https://github.com/kyverno/kyverno/issues/6857 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..7996413c53 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:subjectaccessreviews +rules: +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - '*' diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 0000000000..c71722f303 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:namespace-delete +rules: +- apiGroups: + - "" + resourceNames: + - test-sar + resources: + - namespaces + verbs: + - delete diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 0000000000..ebe7112152 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-sar diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml new file mode 100755 index 0000000000..8b82595629 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: check-subjectaccessreview +spec: + background: false + rules: + - context: + - apiCall: + data: + - key: kind + value: SubjectAccessReview + - key: apiVersion + value: authorization.k8s.io/v1 + - key: spec + value: + resourceAttributes: + group: "" + name: '{{ request.namespace }}' + resource: namespaces + verb: delete + user: system:serviceaccount:kyverno:kyverno-admission-controller + method: POST + urlPath: /apis/authorization.k8s.io/v1/subjectaccessreviews + name: subjectaccessreview + match: + any: + - resources: + kinds: + - ConfigMap + name: check-sar + validate: + deny: + conditions: + any: + - key: '{{ subjectaccessreview.status.allowed }}' + operator: NotEquals + value: true + message: User is not authorized. + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..6fe832672c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-subjectaccessreview +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-test.yaml new file mode 100755 index 0000000000..d5a51bcc78 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-test.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: subjectaccessreview +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - apply: + file: chainsaw-step-01-apply-1-4.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: cm-default-ns.yaml + - apply: + file: cm-test-ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-default-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-default-ns.yaml new file mode 100644 index 0000000000..0b9be553e2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-default-ns.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm + namespace: default +data: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-test-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-test-ns.yaml new file mode 100644 index 0000000000..424fd590aa --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-test-ns.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm + namespace: test-sar +data: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/chainsaw-step-01-apply-1-1.yaml index 01b7c33117..dbc3cf10f5 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/chainsaw-step-01-apply-1-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: ingress-unique-host spec: - failurePolicy: Fail rules: - context: - name: requestIngressClass @@ -27,6 +26,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: @@ -37,4 +37,5 @@ spec: }}''].spec.rules[].host }}' message: | Ingress must have a unique hostname across different ingress classes - validationFailureAction: Enforce + webhookConfiguration: + failurePolicy: Fail diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml index 8b82595629..941d71f8cd 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml @@ -30,6 +30,7 @@ spec: - ConfigMap name: check-sar validate: + validationFailureAction: Enforce deny: conditions: any: @@ -37,4 +38,3 @@ spec: operator: NotEquals value: true message: User is not authorized. - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml new file mode 100755 index 0000000000..076e6c1e59 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-match-clusterroles +spec: + background: true + rules: + - match: + any: + - clusterRoles: + - foo-admin + resources: + kinds: + - Pod + name: ns-clusterroles + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: ?* + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-test.yaml new file mode 100755 index 0000000000..051507efb8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-test.yaml @@ -0,0 +1,18 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: background-match-clusterroles +spec: + steps: + - name: step-01 + try: + - script: + content: kubectl apply -f manifests.yaml + check: + # This check below ensures that the string 'invalid variable used' is found in stderr or else fails + (contains($stderr, 'invalid variable used')): true + - name: step-02 + try: + - error: + file: chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/manifests.yaml new file mode 100644 index 0000000000..7a7a97568d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/manifests.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-match-clusterroles +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-clusterroles + match: + any: + - resources: + kinds: + - Pod + clusterRoles: + - foo-admin + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "?*" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-step-02-error-1-1.yaml new file mode 100755 index 0000000000..334e46d5f2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-step-02-error-1-1.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-match-roles +spec: + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + roles: + - foo-role + name: ns-roles + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: ?* + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-test.yaml new file mode 100755 index 0000000000..8dcce0c7de --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-test.yaml @@ -0,0 +1,18 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: background-match-roles +spec: + steps: + - name: step-01 + try: + - script: + content: kubectl apply -f manifests.yaml + check: + # This check below ensures that the string 'invalid variable used' is found in stderr or else fails + (contains($stderr, 'invalid variable used')): true + - name: step-02 + try: + - error: + file: chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/manifests.yaml new file mode 100644 index 0000000000..28f5299a20 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/manifests.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-match-roles +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-roles + match: + any: + - resources: + kinds: + - Pod + roles: + - foo-role + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "?*" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-step-02-error-1-1.yaml new file mode 100755 index 0000000000..3c07232669 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-step-02-error-1-1.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-roles +spec: + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: ns-vars-roles + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + foo: '{{request.roles}}' + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-test.yaml new file mode 100755 index 0000000000..dc5bf10174 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-test.yaml @@ -0,0 +1,18 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: background-vars-roles +spec: + steps: + - name: step-01 + try: + - script: + content: kubectl apply -f manifests.yaml + check: + # This check below ensures that the string 'variable {{request.roles}} is not allowed' is found in stderr or else fails + (contains($stderr, 'variable {{request.roles}} is not allowed')): true + - name: step-02 + try: + - error: + file: chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/manifests.yaml new file mode 100644 index 0000000000..8ddd546f19 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-roles +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-roles + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + foo: "{{request.roles}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml new file mode 100755 index 0000000000..3c6208e302 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-serviceaccountname +spec: + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: ns-vars-serviceaccountname + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + baz: '{{serviceAccountName}}' + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-test.yaml new file mode 100755 index 0000000000..fa73f74bfa --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-test.yaml @@ -0,0 +1,18 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: background-vars-serviceaccountname +spec: + steps: + - name: step-01 + try: + - script: + content: kubectl apply -f manifests.yaml + check: + # This check below ensures that the string 'variable {{serviceAccountName}} is not allowed' is found in stderr or else fails + (contains($stderr, 'variable {{serviceAccountName}} is not allowed')): true + - name: step-02 + try: + - error: + file: chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/manifests.yaml new file mode 100644 index 0000000000..071a720227 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-serviceaccountname +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-serviceaccountname + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + baz: "{{serviceAccountName}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml new file mode 100755 index 0000000000..1c57165c64 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-userinfo +spec: + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: ns-vars-userinfo + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: '{{request.userInfo}}' + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-test.yaml new file mode 100755 index 0000000000..b022a50001 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-test.yaml @@ -0,0 +1,18 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: background-vars-userinfo +spec: + steps: + - name: step-01 + try: + - script: + content: kubectl apply -f manifests.yaml + check: + # This check below ensures that the string 'variable {{request.userInfo}} is not allowed' is found in stderr or else fails + (contains($stderr, 'variable {{request.userInfo}} is not allowed')): true + - name: step-02 + try: + - error: + file: chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/manifests.yaml new file mode 100644 index 0000000000..2534e8b57f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-userinfo +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-userinfo + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "{{request.userInfo}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/README.md new file mode 100644 index 0000000000..cf94c9703b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/README.md @@ -0,0 +1,11 @@ +## Description + +The configmap context lookup uses informer's cache internally, the background processing should use the same to resolve configmap context without crashing Kyverno. + +## Expected Behavior + +Policy is created successfully and the report is generated properly. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5704 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..87054ea19a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-cm-lookup diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 0000000000..93d1b33db9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: keys + namespace: test-cm-lookup diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 0000000000..8788990515 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-labels +spec: + background: true + rules: + - context: + - configMap: + name: keys + namespace: test-cm-lookup + name: keys + match: + any: + - resources: + kinds: + - Pod + name: validate-labels + validate: + pattern: + metadata: + labels: + foo: '{{ keys.data.foo }}' + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..075d398147 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 0000000000..5a2df4e03e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + name: test-cm-lookup-pod + namespace: test-cm-lookup +spec: + containers: + - image: nginx + name: test-cm-lookup diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 0000000000..919fd1da4f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-cm-lookup-pod + namespace: test-cm-lookup diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-03-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-03-assert-1-1.yaml new file mode 100755 index 0000000000..20d9ea2ed5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-03-assert-1-1.yaml @@ -0,0 +1,21 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + namespace: test-cm-lookup +results: +- policy: validate-labels + result: pass + rule: validate-labels +scope: + apiVersion: v1 + kind: Pod + name: test-cm-lookup-pod + namespace: test-cm-lookup +summary: + error: 0 + fail: 0 + pass: 1 + skip: 0 + warn: 0 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-test.yaml new file mode 100755 index 0000000000..527f950b61 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: configmap-context-lookup +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - assert: + file: chainsaw-step-03-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml index 076e6c1e59..48c47b75a2 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml @@ -14,9 +14,9 @@ spec: - Pod name: ns-clusterroles validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: labels: owner: ?* - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/chainsaw-step-02-error-1-1.yaml index 334e46d5f2..f1bb53d50e 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/chainsaw-step-02-error-1-1.yaml @@ -14,9 +14,9 @@ spec: - foo-role name: ns-roles validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: labels: owner: ?* - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/chainsaw-step-02-error-1-1.yaml index 3c07232669..8b9208df53 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/chainsaw-step-02-error-1-1.yaml @@ -12,9 +12,9 @@ spec: - Pod name: ns-vars-roles validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: labels: foo: '{{request.roles}}' - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml index 3c6208e302..b68a6e09e9 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml @@ -12,9 +12,9 @@ spec: - Pod name: ns-vars-serviceaccountname validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: labels: baz: '{{serviceAccountName}}' - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml index 1c57165c64..4c2c35272f 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml @@ -12,9 +12,9 @@ spec: - Pod name: ns-vars-userinfo validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: labels: owner: '{{request.userInfo}}' - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml index 8788990515..5c03d581ec 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml @@ -17,8 +17,8 @@ spec: - Pod name: validate-labels validate: + validationFailureAction: Audit pattern: metadata: labels: foo: '{{ keys.data.foo }}' - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/chainsaw-test.yaml new file mode 100755 index 0000000000..455a1d211d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/chainsaw-test.yaml @@ -0,0 +1,30 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: with-permissions +spec: + steps: + - name: step-01 + try: + - apply: + file: serviceaccount.yaml + - name: step-02 + try: + - apply: + file: rbac.yaml + - name: step-03 + try: + - apply: + file: policy.yaml + - assert: + file: policy.yaml + - name: step-04 + try: + - command: + args: + - apply + - -f + - ./pod.yaml + - --as=system:serviceaccount:default:test-account + entrypoint: kubectl diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/pod.yaml new file mode 100644 index 0000000000..b16314c63a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/policy.yaml new file mode 100644 index 0000000000..6afcf2b5bc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "authorizer.serviceAccount('default', 'test-account').group('').resource('pods').namespace('default').check('delete').allowed()" + message: "The user isn't allowed to delete pods in the 'default' namespace." + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" + message: "The fields spec.containers[*].ports[*].hostPort must either be unset or set to `0`" + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/rbac.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/rbac.yaml new file mode 100644 index 0000000000..13f2520426 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/rbac.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: role + namespace: default +rules: + - apiGroups: + - '' + resources: + - pods + verbs: ["create", "update", "get", "list", "patch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rolebinding + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: role +subjects: +- namespace: default + kind: ServiceAccount + name: test-account diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/serviceaccount.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/serviceaccount.yaml new file mode 100644 index 0000000000..feb9ff5783 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-account + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/chainsaw-test.yaml new file mode 100755 index 0000000000..481dd62215 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/chainsaw-test.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: without-permissions +spec: + steps: + - name: step-01 + try: + - apply: + file: serviceaccount.yaml + - name: step-02 + try: + - apply: + file: rbac.yaml + - name: step-03 + try: + - apply: + file: policy.yaml + - assert: + file: policy.yaml + - name: step-04 + try: + - script: + content: "if kubectl apply -f ./deployment.yaml --as=system:serviceaccount:default:test-account-1\nthen\n + \ echo \"Test failed. Deployment shouldn't be created.\"\n exit 1\nelse + \n echo \"Test succeeded. Deployment isn't created as expected.\"\n exit + 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/deployment.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/deployment.yaml new file mode 100644 index 0000000000..b4e5a7a097 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-test-1 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/policy.yaml new file mode 100644 index 0000000000..662dc2ea9e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas-1 +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deployment-replicas + match: + any: + - resources: + kinds: + - Deployment + validate: + cel: + expressions: + - expression: "authorizer.serviceAccount('default', 'test-account-1').group('apps').resource('deployments').namespace('default').check('delete').allowed()" + message: "The user isn't allowed to delete deployments in the 'default' namespace." + - expression: "object.spec.replicas <= 3" + message: "Deployment spec.replicas must be less than 3." diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/rbac.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/rbac.yaml new file mode 100644 index 0000000000..86b3ff6f2c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/rbac.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: role-1 + namespace: default +rules: + - apiGroups: + - apps + resources: + - deployments + verbs: ["create", "update", "get", "list", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rolebinding-1 + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: role-1 +subjects: +- namespace: default + kind: ServiceAccount + name: test-account-1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/serviceaccount.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/serviceaccount.yaml new file mode 100644 index 0000000000..4a115a9b2b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-account-1 + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/README.md new file mode 100644 index 0000000000..86c9fe12dd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/README.md @@ -0,0 +1,9 @@ +## Description + +This test validates the use of `rule.celPreconditions`. +The policy will be applied on resources that matches the CEL Preconditions. + +## Expected Behavior + +The policy will be applied on `pod-fail` and since it violates the rule, it will be blocked. +The policy won't be applied on `pod-pass` because it doesn't match the CEL precondition. Therefore it will be created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/chainsaw-test.yaml new file mode 100755 index 0000000000..0a479c2d39 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/chainsaw-test.yaml @@ -0,0 +1,22 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cel-preconditions +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: pod-pass.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-fail.yaml new file mode 100644 index 0000000000..f532677735 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-fail.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-pod +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 8080 + hostPort: 80 + \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-pass.yaml new file mode 100644 index 0000000000..0f39450a86 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-pass.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 8080 + hostPort: 80 + \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy-assert.yaml new file mode 100644 index 0000000000..9ee9af9fde --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-range +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy.yaml new file mode 100644 index 0000000000..fe4ebfdb42 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-range +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port-range + match: + any: + - resources: + kinds: + - Pod + celPreconditions: + - name: "first match condition in CEL" + expression: "object.metadata.name.matches('nginx-pod')" + validate: + cel: + expressions: + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))" + message: "The only permitted hostPorts are in the range 5000-6000." diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/README.md new file mode 100644 index 0000000000..da0fd3a0df --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/README.md @@ -0,0 +1,20 @@ +## Description + +This test validates the use of variables in validate.cel subrule. + +This test creates the following: +1. Two namespaces: `production-ns` and `staging-ns` +2. A policy that enforces that all containers of a deployment has the image repo match the environment label of its namespace. Except for "exempt" deployments, or any containers that do not belong to the "example.com" organization For example, if the namespace has a label of {"environment": "staging"}, all container images must be either staging.example.com/* or do not contain "example.com" at all, unless the deployment has {"exempt": "true"} label. +3. Six deployments. + +## Expected Behavior + +The following deployments is blocked: +1. `deployment-fail-01`: It intended to be created in namespace `production-ns` but its container image is `staging.example.com/nginx` which violates the validation rule. +2. `deployment-fail-02`: It intended to be created in namespace `staging-ns` but its container image is `example.com/nginx` which violates the validation rule. +3. `deployment-fail-03`: It intended to be created in namespace `staging-ns` and it has a label of `exempt: "false"` but its container image is `example.com/nginx` which violates the validation rule. + +The following deployments is created: +1. `deployment-pass-01`, It is created in namespace `production-ns` and its container image is `prod.example.com/nginx`. +2. `deployment-pass-02`, It is created in namespace `staging-ns` and its container image is `staging.example.com/nginx`. +3. `deployment-pass-03`, It is created in namespace `staging-ns` and its container image is `example.com/nginx` but it has a label of `exempt: "true"` so it passes the validation rule. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/chainsaw-test.yaml new file mode 100755 index 0000000000..591ab60004 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/chainsaw-test.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cel-variables +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-03 + try: + - apply: + file: deployments-pass.yaml + - apply: + expect: + - check: + ($error != null): true + file: deployments-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-fail.yaml new file mode 100644 index 0000000000..19068b5f63 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-fail.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail-01 + namespace: production-ns +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: staging.example.com/nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail-02 + namespace: staging-ns +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: example.com/nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail-03 + namespace: staging-ns + labels: + exempt: "false" +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: example.com/nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-pass.yaml new file mode 100644 index 0000000000..8ec7ba2e2e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-pass.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass-01 + namespace: production-ns +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: prod.example.com/nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass-02 + namespace: staging-ns +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: staging.example.com/nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass-03 + namespace: staging-ns + labels: + exempt: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: example.com/nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/ns.yaml new file mode 100644 index 0000000000..a9dc28210c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/ns.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: production-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns + labels: + environment: staging diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy-assert.yaml new file mode 100644 index 0000000000..acb6a9fa1c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: image-matches-namespace-environment.policy.example.com +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy.yaml new file mode 100644 index 0000000000..e1274adcdf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: image-matches-namespace-environment.policy.example.com +spec: + validationFailureAction: Enforce + background: false + rules: + - name: image-matches-namespace-environment + match: + any: + - resources: + kinds: + - Deployment + validate: + cel: + variables: + - name: environment + expression: "'environment' in namespaceObject.metadata.labels ? namespaceObject.metadata.labels['environment'] : 'prod'" + - name: exempt + expression: "has(object.metadata.labels) && 'exempt' in object.metadata.labels && object.metadata.labels['exempt'] == 'true'" + - name: containers + expression: "object.spec.template.spec.containers" + - name: containersToCheck + expression: "variables.containers.filter(c, c.image.contains('example.com/'))" + expressions: + - expression: "variables.exempt || variables.containersToCheck.all(c, c.image.startsWith(variables.environment + '.'))" + messageExpression: "'only ' + variables.environment + ' images are allowed in namespace ' + namespaceObject.metadata.name" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/README.md new file mode 100644 index 0000000000..78b4ea6bb9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/README.md @@ -0,0 +1,7 @@ +## Description + +This test creates a policy that uses CEL expressions to check if the statefulset is created in the `production` namespace or not. + +## Expected Behavior + +The statefulset `bad-statefulset` is blocked, and the statefulset `good-statefulset` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/chainsaw-test.yaml new file mode 100755 index 0000000000..5f181e44e0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/chainsaw-test.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: check-statefulset-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-03 + try: + - apply: + file: statefulset-pass.yaml + - apply: + expect: + - check: + ($error != null): true + file: statefulset-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/ns.yaml new file mode 100644 index 0000000000..83e1993da7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: testing diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy-assert.yaml new file mode 100644 index 0000000000..d721c304a9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-statefulset-namespace +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy.yaml new file mode 100644 index 0000000000..259b0b8008 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-statefulset-namespace +spec: + validationFailureAction: Enforce + background: false + rules: + - name: statefulset-namespace + match: + any: + - resources: + kinds: + - StatefulSet + validate: + cel: + expressions: + - expression: "namespaceObject.metadata.name == 'production'" + message: "The StatefulSet must be created in the 'production' namespace." diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-fail.yaml new file mode 100644 index 0000000000..90c08772c8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-fail.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: bad-statefulset + namespace: testing +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-pass.yaml new file mode 100644 index 0000000000..1f6b372ff1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-pass.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: good-statefulset + namespace: production +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/README.md new file mode 100644 index 0000000000..d5fa6cd256 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/README.md @@ -0,0 +1,7 @@ +## Description + +This test creates a policy that uses CEL expressions to disallow host ports in pods. + +## Expected Behavior + +The pod `pod-fail` is blocked, and the pod `pod-pass` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/chainsaw-test.yaml new file mode 100755 index 0000000000..b2e02b4267 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/chainsaw-test.yaml @@ -0,0 +1,22 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-port +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: pod-pass.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-fail.yaml new file mode 100644 index 0000000000..6fdda0a983 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-fail.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - hostPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-pass.yaml new file mode 100644 index 0000000000..5c766069f2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-pass.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy-assert.yaml new file mode 100644 index 0000000000..a53a885448 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy.yaml new file mode 100644 index 0000000000..bfefda93de --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" + message: "The fields spec.containers[*].ports[*].hostPort must either be unset or set to `0`" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/README.md new file mode 100644 index 0000000000..038bde1132 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/README.md @@ -0,0 +1,12 @@ +## Description + +This test validates the use of parameter resources in validate.cel subrule. + +This test creates the following: +1. A cluster-scoped custom resource definition `NamespaceConstraint` +3. A policy that checks the namespace name using the parameter resource. +4. Two namespaces. + +## Expected Behavior + +The namespace `testing-ns` is blocked, and the namespace `production-ns` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/chainsaw-test.yaml new file mode 100755 index 0000000000..8871cb6e51 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: clusterscoped +spec: + steps: + - name: step-01 + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml + - name: step-02 + try: + - apply: + file: namespaceConstraint.yaml + - assert: + file: namespaceConstraint.yaml + - name: step-03 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-04 + try: + - apply: + file: ns-pass.yaml + - apply: + expect: + - check: + ($error != null): true + file: ns-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd-assert.yaml new file mode 100644 index 0000000000..e21ee264bf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: namespaceconstraints.rules.example.com +status: + acceptedNames: + kind: NamespaceConstraint + plural: namespaceconstraints + storedVersions: + - v1 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd.yaml new file mode 100644 index 0000000000..547d191e6c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: namespaceconstraints.rules.example.com +spec: + group: rules.example.com + names: + kind: NamespaceConstraint + plural: namespaceconstraints + scope: Cluster + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + name: + type: string diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/namespaceConstraint.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/namespaceConstraint.yaml new file mode 100644 index 0000000000..65dab27e63 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/namespaceConstraint.yaml @@ -0,0 +1,5 @@ +apiVersion: rules.example.com/v1 +kind: NamespaceConstraint +metadata: + name: "namespace-constraint-test.example.com" +name: "production-ns-01" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-fail.yaml new file mode 100644 index 0000000000..7d9c90f9f9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-fail.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: testing-ns-01 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-pass.yaml new file mode 100644 index 0000000000..671093e15b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-pass.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: production-ns-01 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy-assert.yaml new file mode 100644 index 0000000000..28cee3049a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-namespace-name-01 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy.yaml new file mode 100644 index 0000000000..ca5716d203 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-namespace-name-01 +spec: + validationFailureAction: Enforce + background: false + rules: + - name: namespace-name-01 + match: + any: + - resources: + kinds: + - Namespace + validate: + cel: + paramKind: + apiVersion: rules.example.com/v1 + kind: NamespaceConstraint + paramRef: + name: "namespace-constraint-test.example.com" + parameterNotFoundAction: "Deny" + expressions: + - expression: "object.metadata.name == params.name" + messageExpression: "'Namespace name must be ' + params.name" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/README.md new file mode 100644 index 0000000000..6a1dfe495c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/README.md @@ -0,0 +1,12 @@ +## Description + +This test validates the use of parameter resources in validate.cel subrule. + +This test creates the following: +1. A namespaced custom resource definition `NameConstraint` +3. A policy that checks the namespace name using the parameter resource. +4. A namespace `testing`. + +## Expected Behavior + +Since the parameter resource is namespaced-scope and the policy matches cluster-scoped resource `Namespace`, therefore the creation of a namespace is blocked diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/chainsaw-test.yaml new file mode 100755 index 0000000000..86be2ee5e7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: match-clusterscoped-resource +spec: + steps: + - name: step-01 + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml + - name: step-02 + try: + - apply: + file: nameConstraint.yaml + - assert: + file: nameConstraint.yaml + - name: step-03 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-04 + try: + - apply: + expect: + - check: + ($error != null): true + file: ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml new file mode 100644 index 0000000000..7c08e10e7e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: nameconstraints.rules.example.com +status: + acceptedNames: + kind: NameConstraint + plural: nameconstraints + storedVersions: + - v1 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml new file mode 100644 index 0000000000..ed6ad995e7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: nameconstraints.rules.example.com +spec: + group: rules.example.com + names: + kind: NameConstraint + plural: nameconstraints + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + name: + type: string diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml new file mode 100644 index 0000000000..dd46254c5f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml @@ -0,0 +1,5 @@ +apiVersion: rules.example.com/v1 +kind: NameConstraint +metadata: + name: "name-constraint-test.example.com" +name: "default" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml new file mode 100644 index 0000000000..dadddb459a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: testing-01 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml new file mode 100644 index 0000000000..a540add3b7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-namespace-name-02 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml new file mode 100644 index 0000000000..e926bcc125 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-namespace-name-02 +spec: + validationFailureAction: Enforce + background: false + rules: + - name: namespace-name-02 + match: + any: + - resources: + kinds: + - Namespace + validate: + cel: + paramKind: + apiVersion: rules.example.com/v1 + kind: NameConstraint + paramRef: + name: "name-constraint-test.example.com" + parameterNotFoundAction: "Deny" + expressions: + - expression: "object.metadata.name == params.name" + messageExpression: "'Namespace name must be ' + params.name" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/README.md new file mode 100644 index 0000000000..55c0594938 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/README.md @@ -0,0 +1,13 @@ +## Description + +This test validates the use of parameter resources in validate.cel subrule. + +This test creates the following: +1. A namespace `test-params` +2. A namespaced custom resource definition `ReplicaLimit` +3. A policy that checks the deployment replicas using the parameter resource. The `validate.cel.paramRef.namespace` is set. +4. Two deployments. + +## Expected Behavior + +The deployment `deployment-fail` is blocked, and the deployment `deployment-pass` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml new file mode 100755 index 0000000000..30669f7f89 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml @@ -0,0 +1,40 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: set-paramref-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-02 + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml + - name: step-03 + try: + - apply: + file: replicaLimit.yaml + - assert: + file: replicaLimit.yaml + - name: step-04 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-05 + try: + - apply: + file: deployment-pass.yaml + - apply: + expect: + - check: + ($error != null): true + file: deployment-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml new file mode 100644 index 0000000000..50c84516f6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: deploymentreplicalimits.rules.example.com +status: + acceptedNames: + kind: DeploymentReplicaLimit + plural: deploymentreplicalimits + storedVersions: + - v1 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd.yaml new file mode 100644 index 0000000000..b5dfd371f1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: deploymentreplicalimits.rules.example.com +spec: + group: rules.example.com + names: + kind: DeploymentReplicaLimit + plural: deploymentreplicalimits + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + maxReplicas: + type: integer \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml new file mode 100644 index 0000000000..cc24bd227a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail +spec: + replicas: 4 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml new file mode 100644 index 0000000000..19f9b25db0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass +spec: + replicas: 2 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/ns.yaml new file mode 100644 index 0000000000..31556c7dcb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: testing-02 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml new file mode 100644 index 0000000000..d94b5b3f4f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas-01 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy.yaml new file mode 100644 index 0000000000..ab29121404 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas-01 +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deployment-replicas-01 + match: + any: + - resources: + kinds: + - Deployment + validate: + cel: + paramKind: + apiVersion: rules.example.com/v1 + kind: DeploymentReplicaLimit + paramRef: + name: "replica-limit" + namespace: "testing-02" + parameterNotFoundAction: "Deny" + expressions: + - expression: "object.spec.replicas <= params.maxReplicas" + messageExpression: "'Deployment spec.replicas must be less than ' + string(params.maxReplicas)" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml new file mode 100644 index 0000000000..0563910919 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml @@ -0,0 +1,6 @@ +apiVersion: rules.example.com/v1 +kind: DeploymentReplicaLimit +metadata: + name: "replica-limit" + namespace: testing-02 +maxReplicas: 3 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/README.md new file mode 100644 index 0000000000..4b7d700d5d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/README.md @@ -0,0 +1,13 @@ +## Description + +This test validates the use of parameter resources in validate.cel subrule. + +This test creates the following: +1. A namespace `test-params` +2. A namespaced custom resource definition `ReplicaLimit` +3. A policy that checks the statefulset replicas using the parameter resource. The `validate.cel.paramRef.namespace` is unset so it is expected to retrieve the parameter resource from the statefulset's namespace +4. Two statefulsets. + +## Expected Behavior + +The statefulset `statefulset-fail` is blocked, and the statefulset `statefulset-pass` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml new file mode 100755 index 0000000000..cf831afab8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml @@ -0,0 +1,40 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: unset-paramref-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-02 + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml + - name: step-03 + try: + - apply: + file: replicaLimit.yaml + - assert: + file: replicaLimit.yaml + - name: step-04 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-05 + try: + - apply: + file: statefulset-pass.yaml + - apply: + expect: + - check: + ($error != null): true + file: statefulset-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml new file mode 100644 index 0000000000..072eae7097 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: statefulsetreplicalimits.rules.example.com +status: + acceptedNames: + kind: StatefulSetReplicaLimit + plural: statefulsetreplicalimits + storedVersions: + - v1 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml new file mode 100644 index 0000000000..8e6d82a99b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: statefulsetreplicalimits.rules.example.com +spec: + group: rules.example.com + names: + kind: StatefulSetReplicaLimit + plural: statefulsetreplicalimits + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + maxReplicas: + type: integer \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml new file mode 100644 index 0000000000..1e4f718efa --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-params \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml new file mode 100644 index 0000000000..3f2481450a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-statefulset-replicas +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml new file mode 100644 index 0000000000..8f0ed08d44 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-statefulset-replicas +spec: + validationFailureAction: Enforce + background: false + rules: + - name: statefulset-replicas + match: + any: + - resources: + kinds: + - StatefulSet + validate: + cel: + paramKind: + apiVersion: rules.example.com/v1 + kind: StatefulSetReplicaLimit + paramRef: + name: "replica-limit-test.example.com" + parameterNotFoundAction: "Deny" + expressions: + - expression: "object.spec.replicas <= params.maxReplicas" + messageExpression: "'StatefulSet spec.replicas must be less than ' + string(params.maxReplicas)" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml new file mode 100644 index 0000000000..2cb6b3c48e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml @@ -0,0 +1,6 @@ +apiVersion: rules.example.com/v1 +kind: StatefulSetReplicaLimit +metadata: + name: "replica-limit-test.example.com" + namespace: test-params +maxReplicas: 3 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml new file mode 100644 index 0000000000..b880940cb7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: statefulset-fail + namespace: test-params +spec: + replicas: 4 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml new file mode 100644 index 0000000000..18b3b9cad0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: statefulset-pass + namespace: test-params +spec: + replicas: 2 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml index 6afcf2b5bc..66f0c9e98d 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-port spec: - validationFailureAction: Enforce background: false rules: - name: host-port @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce cel: expressions: - expression: "authorizer.serviceAccount('default', 'test-account').group('').resource('pods').namespace('default').check('delete').allowed()" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml index 662dc2ea9e..974805b88a 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-deployment-replicas-1 spec: - validationFailureAction: Enforce background: false rules: - name: deployment-replicas @@ -13,6 +12,7 @@ spec: kinds: - Deployment validate: + validationFailureAction: Enforce cel: expressions: - expression: "authorizer.serviceAccount('default', 'test-account-1').group('apps').resource('deployments').namespace('default').check('delete').allowed()" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml index fe4ebfdb42..6077f42fff 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-port-range spec: - validationFailureAction: Enforce background: false rules: - name: host-port-range @@ -16,6 +15,7 @@ spec: - name: "first match condition in CEL" expression: "object.metadata.name.matches('nginx-pod')" validate: + validationFailureAction: Enforce cel: expressions: - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml index e1274adcdf..9570aeb63d 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: image-matches-namespace-environment.policy.example.com spec: - validationFailureAction: Enforce background: false rules: - name: image-matches-namespace-environment @@ -13,6 +12,7 @@ spec: kinds: - Deployment validate: + validationFailureAction: Enforce cel: variables: - name: environment diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml index 259b0b8008..35f274b711 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-statefulset-namespace spec: - validationFailureAction: Enforce background: false rules: - name: statefulset-namespace @@ -13,6 +12,7 @@ spec: kinds: - StatefulSet validate: + validationFailureAction: Enforce cel: expressions: - expression: "namespaceObject.metadata.name == 'production'" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml index bfefda93de..71ec477511 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce background: false rules: - name: host-port @@ -15,6 +14,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce cel: expressions: - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml index ca5716d203..ed00dbbc6a 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-namespace-name-01 spec: - validationFailureAction: Enforce background: false rules: - name: namespace-name-01 @@ -13,6 +12,7 @@ spec: kinds: - Namespace validate: + validationFailureAction: Enforce cel: paramKind: apiVersion: rules.example.com/v1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml index e926bcc125..990c1c7cb0 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-namespace-name-02 spec: - validationFailureAction: Enforce background: false rules: - name: namespace-name-02 @@ -13,6 +12,7 @@ spec: kinds: - Namespace validate: + validationFailureAction: Enforce cel: paramKind: apiVersion: rules.example.com/v1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml index ab29121404..74a7638ef3 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-deployment-replicas-01 spec: - validationFailureAction: Enforce background: false rules: - name: deployment-replicas-01 @@ -13,6 +12,7 @@ spec: kinds: - Deployment validate: + validationFailureAction: Enforce cel: paramKind: apiVersion: rules.example.com/v1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml index 8f0ed08d44..7a772f313e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-statefulset-replicas spec: - validationFailureAction: Enforce background: false rules: - name: statefulset-replicas @@ -13,6 +12,7 @@ spec: kinds: - StatefulSet validate: + validationFailureAction: Enforce cel: paramKind: apiVersion: rules.example.com/v1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/README.md new file mode 100644 index 0000000000..bb85c86815 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `Pod` (we implicitly add the `ephemeralcontainers` subresource) and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/chainsaw-test.yaml new file mode 100755 index 0000000000..7d46a42648 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/chainsaw-test.yaml @@ -0,0 +1,22 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: with-pod +spec: + steps: + - name: step-01 + try: + - apply: + file: resources.yaml + - name: step-02 + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml + - name: step-03 + try: + - script: + content: "if kubectl debug --image=busybox foo\nthen \n exit 1\nelse \n exit + 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies.yaml new file mode 100644 index 0000000000..94220c6ad6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/README.md new file mode 100644 index 0000000000..4c814b16c3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `Pod/ephemeralcontainers` and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/chainsaw-test.yaml new file mode 100755 index 0000000000..db6a36fb63 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/chainsaw-test.yaml @@ -0,0 +1,22 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: with-subresource +spec: + steps: + - name: step-01 + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml + - name: step-02 + try: + - apply: + file: resources.yaml + - name: step-03 + try: + - script: + content: "if kubectl debug --image=busybox foo\nthen \n exit 1\nelse \n exit + 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies.yaml new file mode 100644 index 0000000000..66d75f0f55 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - Pod/ephemeralcontainers + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/README.md new file mode 100644 index 0000000000..bb288e3ae2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `*/ephemeralcontainers` and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/chainsaw-test.yaml new file mode 100755 index 0000000000..fed5f91565 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/chainsaw-test.yaml @@ -0,0 +1,22 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: with-wildcard +spec: + steps: + - name: step-01 + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml + - name: step-02 + try: + - apply: + file: resources.yaml + - name: step-03 + try: + - script: + content: "if kubectl debug --image=busybox foo\nthen \n exit 1\nelse \n exit + 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies.yaml new file mode 100644 index 0000000000..64f4b261a1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - '*/ephemeralcontainers' + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml index 94220c6ad6..b4fef7946e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce background: false rules: - name: deny-debug @@ -15,4 +14,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml index 66d75f0f55..a713028658 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce background: false rules: - name: deny-debug @@ -15,4 +14,5 @@ spec: kinds: - Pod/ephemeralcontainers validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml index 64f4b261a1..bc486918ad 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce background: false rules: - name: deny-debug @@ -15,4 +14,5 @@ spec: kinds: - '*/ephemeralcontainers' validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/README.md new file mode 100644 index 0000000000..5d33f76a12 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/README.md @@ -0,0 +1,3 @@ +# Evicting pod with label 'evict=false' is forbidden + +Validate test to check that a pod with label 'evict=false' cannot be evicted. Related issue https://github.com/kyverno/kyverno/issues/4313 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/api-initiated-eviction.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/api-initiated-eviction.sh new file mode 100755 index 0000000000..1faa823630 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/api-initiated-eviction.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +set -eu + +kubectl proxy & +proxy_pid=$! +echo $proxy_pid + +function cleanup { + echo "killing kubectl proxy" >&2 + kill $proxy_pid +} + +attempt_counter=0 +max_attempts=5 + +until curl --output /dev/null -fsSL http://localhost:8001/; do + if [ ${attempt_counter} -eq ${max_attempts} ];then + echo "Max attempts reached" + exit 1 + fi + + attempt_counter=$((attempt_counter+1)) + sleep 5 +done + +if curl -v -H 'Content-type: application/json' \ + http://localhost:8001/api/v1/namespaces/test-validate/pods/nginx/eviction -d @eviction.json 2>&1 | grep -q "Evicting Pods protected with the label 'evict=false' is forbidden"; then + echo "Test succeeded. Resource was not evicted." + trap cleanup EXIT + exit 0 +else + echo "Tested failed. Resource was evicted." + trap cleanup EXIT + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..ddccd1ac34 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 0000000000..8d4c08681d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-evict-by-pod-label +spec: + background: false + rules: + - context: + - apiCall: + jmesPath: metadata.labels.evict + urlPath: /api/v1/namespaces/{{request.namespace}}/pods/{{request.name}} + name: podevictlabel + match: + resources: + kinds: + - Pod/eviction + name: deny-evict-by-label + validate: + deny: + conditions: + all: + - key: '{{ podevictlabel }}' + operator: Equals + value: "false" + message: Evicting Pods protected with the label 'evict=false' is forbidden. + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 0000000000..bdddc0e4f5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: nginx + evict: "false" + tier: frontend + name: nginx + namespace: test-validate +spec: + containers: + - image: nginx + name: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..f2887a6ccb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-evict-by-pod-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-test.yaml new file mode 100755 index 0000000000..1f3694dd7d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: api-initiated-pod-eviction +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - sleep: + duration: 5s + - script: + content: ./api-initiated-eviction.sh + timeout: 30s diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/eviction.json b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/eviction.json new file mode 100644 index 0000000000..48976c7434 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/eviction.json @@ -0,0 +1,8 @@ +{ + "apiVersion": "policy/v1", + "kind": "Eviction", + "metadata": { + "name": "nginx", + "namespace": "test-validate" + } +} \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/README.md new file mode 100644 index 0000000000..21f5680036 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/README.md @@ -0,0 +1,3 @@ +# Exec'ing into a pod + +Validate test to ensure pods with label `exec=false` cannot be exec'ed into. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..ddccd1ac34 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 0000000000..84df326e27 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Sample + policies.kyverno.io/description: The 'exec' command may be used to gain shell + access, or run other commands, in a Pod's container. While this can be useful + for troubleshooting purposes, it could represent an attack vector and is discouraged. + This policy blocks Pod exec commands to Pods having the label 'exec=false'. + policies.kyverno.io/minversion: 1.4.2 + policies.kyverno.io/subject: Pod + policies.kyverno.io/title: Block Pod Exec by Pod Label + name: deny-exec-by-pod-label +spec: + background: false + rules: + - context: + - apiCall: + jmesPath: metadata.labels.exec + urlPath: /api/v1/namespaces/{{request.namespace}}/pods/{{request.name}} + name: podexeclabel + match: + resources: + kinds: + - Pod/exec + name: deny-exec-by-label + preconditions: + all: + - key: '{{ request.operation }}' + operator: Equals + value: CONNECT + validate: + deny: + conditions: + all: + - key: '{{ podexeclabel }}' + operator: Equals + value: "false" + message: Exec'ing into Pods protected with the label 'exec=false' is forbidden. + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 0000000000..80f8c34db6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: nginx + exec: "false" + tier: frontend + name: nginx + namespace: test-validate +spec: + containers: + - image: nginx + name: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..29794ca537 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-exec-by-pod-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-test.yaml new file mode 100755 index 0000000000..6ec23e22d2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-pod-exec-requests +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - script: + content: kubectl -n test-validate exec nginx -it -- sh + check: + # This check below ensures that the string "Exec'ing into Pods protected with the label 'exec=false' is forbidden" isn't found in stderr or else fails + (contains($stderr, 'Exec\'ing into Pods protected with the label \'exec=false\' is forbidden')): false diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/README.md new file mode 100644 index 0000000000..cfff4ae394 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/README.md @@ -0,0 +1,20 @@ +# ## Description + +This test validates that a policy blocking scaling using `Deployment/scale` resource can be bypassed using `PolicyException`. + +## Expected Behavior + +The `Deployment` is scaled. + +## Steps + +### Test Steps + +1. Create a `ClusterPolicy` that matches on `Deployment/scale` and blocks scaling the `Deployment`. +2. Create a `Deployment` with the number of replicas allowed in the policy. +3. Create a `PolicyException` for the above mentioned policy. +4. Validate that the `Deployment` is scaled. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5804 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..ddccd1ac34 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 0000000000..dbc2c6a063 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: nginx-test-scaling-policy +spec: + background: false + failurePolicy: Fail + rules: + - match: + resources: + kinds: + - Deployment/scale + names: + - nginx-test + namespaces: + - test-validate + name: validate-nginx-test + validate: + message: nginx-test needs to have 2 replicas + pattern: + spec: + replicas: 2 + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 0000000000..c092e98eb6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +spec: + replicas: 2 + selector: + matchLabels: + app: nginx-test + template: + metadata: + labels: + app: nginx-test + spec: + containers: + - image: nginx + name: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml new file mode 100755 index 0000000000..86b6844742 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: allow-scaling-nginx-test + namespace: test-validate +spec: + exceptions: + - policyName: nginx-test-scaling-policy + ruleNames: + - validate-nginx-test + match: + any: + - resources: + kinds: + - Deployment/scale + names: + - nginx-test diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..31d63d44d0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: nginx-test-scaling-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-2.yaml new file mode 100755 index 0000000000..5d32750add --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-2.yaml @@ -0,0 +1,9 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +status: + replicas: 2 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml new file mode 100755 index 0000000000..86b6844742 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: allow-scaling-nginx-test + namespace: test-validate +spec: + exceptions: + - policyName: nginx-test-scaling-policy + ruleNames: + - validate-nginx-test + match: + any: + - resources: + kinds: + - Deployment/scale + names: + - nginx-test diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-test.yaml new file mode 100755 index 0000000000..7d94ed81b8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-test.yaml @@ -0,0 +1,30 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: bypass-with-policy-exception +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - apply: + file: chainsaw-step-01-apply-1-4.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-2.yaml + - assert: + file: chainsaw-step-01-assert-1-3.yaml + - name: step-02 + try: + - script: + content: kubectl scale deployment nginx-test --replicas=1 -n test-validate + check: + # This check below ensures that the string "nginx-test needs to have 2 replicas" isn't found in stderr or else fails + (contains($stderr, 'nginx-test needs to have 2 replicas')): false diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/README.md new file mode 100644 index 0000000000..23387c1a82 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/README.md @@ -0,0 +1,12 @@ +## Description + +This test mainly verifies that the JMESPath path for x509decode works for CSR does work properly. + +## Expected Behavior + +1. A policy is created to check Certificate Signing Requests and a policy that adds labels to the CSR. +2. A CSR Resource is created and it is verified that it has the same labels. + +## Reference Issue(s) + +5858 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/chainsaw-test.yaml new file mode 100755 index 0000000000..5bbb7aa517 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: csr +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: csr.yaml + - assert: + file: csr-mutated.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr-mutated.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr-mutated.yaml new file mode 100644 index 0000000000..8a5b69b557 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr-mutated.yaml @@ -0,0 +1,6 @@ +apiVersion: certificates.k8s.io/v1 +kind: CertificateSigningRequest +metadata: + name: myuser + labels: + name: angela diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr.yaml new file mode 100644 index 0000000000..6c18b6fad5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr.yaml @@ -0,0 +1,10 @@ +apiVersion: certificates.k8s.io/v1 +kind: CertificateSigningRequest +metadata: + name: myuser +spec: + request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo= + signerName: kubernetes.io/kube-apiserver-client + expirationSeconds: 86400 + usages: + - client auth \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy-ready.yaml new file mode 100644 index 0000000000..21b61984d3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy-ready.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-csr +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-csr +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy.yaml new file mode 100644 index 0000000000..8d0d254101 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: validate-csr +spec: + background: false + validationFailureAction: Enforce + rules: + - name: csr + match: + any: + - resources: + kinds: + - CertificateSigningRequest + validate: + message: >- + CSR created by {{ request.userInfo | to_string(@) }} + with ClusterRoles {{ request.clusterRoles | to_string(@) }} + and Roles {{ request.roles | to_string(@) }}. + Subjects and groups requested are "{{ x509_decode(base64_decode(request.object.spec.request)).Subject | to_string(@) }}" + deny: + conditions: + any: + - key: "{{ x509_decode(base64_decode(request.object.spec.request)).Subject.CommonName }}" + operator: NotEquals + value: "angela" +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: mutate-csr +spec: + background: false + validationFailureAction: Enforce + rules: + - name: csr + match: + any: + - resources: + kinds: + - CertificateSigningRequest + mutate: + patchStrategicMerge: + metadata: + labels: + name: "{{ x509_decode(base64_decode(request.object.spec.request)).Subject.CommonName | to_string(@) }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/README.md new file mode 100644 index 0000000000..b80a445992 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/README.md @@ -0,0 +1,15 @@ +## Description + +This test mainly verifies that an enforce validate policy does not block changes in old objects that were present before policy was created + +## Expected Behavior + +1. A pod is created that violates the policy. +2. The policy is applied. +3. A pod is created that follows the policy. +4. Violating changes on bad pad does not cause error. +5. Violating changes in good pod causes error. +6. The bad pod once passed the policy, will be tracked by the policy and return error on bad changes. +## Reference Issue(s) + +8837 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-ready.yaml new file mode 100644 index 0000000000..8f64ef5e24 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-update-test.sh new file mode 100755 index 0000000000..6521f19d1c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po badpod foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test failed, updating violating preexisting resource should not throw error" + exit 1 +else + echo "Test succeed, updating violating preexisting resource does not throw error" + exit 0 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod.yaml new file mode 100644 index 0000000000..49031dc2f8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod + namespace: default + labels: + foo: bad +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/chainsaw-test.yaml new file mode 100755 index 0000000000..8074137604 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/chainsaw-test.yaml @@ -0,0 +1,40 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-pod.yaml + - assert: + file: bad-pod-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: good-pod.yaml + - assert: + file: good-pod-ready.yaml + - name: step-04 + try: + - script: + content: ./bad-pod-update-test.sh + timeout: 30s + - name: step-05 + try: + - script: + content: ./good-pod-update-test.sh + timeout: 30s + - name: step-06 + try: + - script: + content: ./update-bad-pod-to-comply.sh + timeout: 30s diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-ready.yaml new file mode 100644 index 0000000000..210e0fb885 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-update-test.sh new file mode 100755 index 0000000000..6e7187cf91 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po goodpod foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod.yaml new file mode 100644 index 0000000000..3c10e0b7dc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod + namespace: default + labels: + foo: bar +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy-ready.yaml new file mode 100644 index 0000000000..100a267bab --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy.yaml new file mode 100644 index 0000000000..2393c4e79d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels +spec: + validationFailureAction: Enforce + background: true + rules: + - name: check-labels + match: + any: + - resources: + kinds: + - Pod + validate: + pattern: + metadata: + labels: + =(foo): "bar" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/update-bad-pod-to-comply.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/update-bad-pod-to-comply.sh new file mode 100755 index 0000000000..9d44d8851d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/update-bad-pod-to-comply.sh @@ -0,0 +1,9 @@ +kubectl label po badpod foo=bar --overwrite +if kubectl label po badpod foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/README.md new file mode 100644 index 0000000000..6a01cc0c6b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies that when failurePolicy is set to to Ignore for a policy that was set to Enforce, Admission webhook denies requests when validation of a resource fails. The error should not get consumed by ignore failurePolicy + +## Expected Behavior + +The pod should be not created. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/8916 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/chainsaw-test.yaml new file mode 100755 index 0000000000..42b6c480b8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/chainsaw-test.yaml @@ -0,0 +1,20 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: failure-policy-ignore-anchor +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/pod.yaml new file mode 100644 index 0000000000..472296498a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: disallow-annotations-example + namespace: default + annotations: + kyverno-policies-test/key: disallowed +spec: + containers: + - name: example + image: busybox + args: ["sleep", "infinity"] diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy-assert.yaml new file mode 100644 index 0000000000..d884d82d65 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-annotations diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy.yaml new file mode 100644 index 0000000000..eed8b5fc16 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-annotations +spec: + background: true + failurePolicy: Ignore + rules: + - match: + all: + - resources: + kinds: + - Pod + name: disallow-annotations + validate: + message: One or more annotations is not allowed per the policies disallowed + values list. + pattern: + metadata: + =(annotations): + =(kyverno-policies-test/key): '!disallowed' + X(kyverno-policies-test/disallowed): "null" + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/README.md new file mode 100644 index 0000000000..5057c54da7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/README.md @@ -0,0 +1,13 @@ +# ## Description + +This test validates that the namespaceSelector is applied to a wildcard policy successfully. + +## Expected Behavior + +The pod `test-validate/nginx-block` is blocked, and the pod `default/nginx-pass` is created. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6015 +https://github.com/kyverno/kyverno/issues/7771 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/chainsaw-test.yaml new file mode 100755 index 0000000000..1392e77bcf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/chainsaw-test.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: ns-selector-with-wildcard-kind +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: pod-fail.yaml + - apply: + file: pod-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/ns.yaml new file mode 100644 index 0000000000..db57908a16 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/ns.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-wildcard + labels: + freeze: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-fail.yaml new file mode 100644 index 0000000000..2fb33e13d5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-fail.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: nginx + name: nginx-block + namespace: test-wildcard +spec: + containers: + - image: nginx + name: test \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-pass.yaml new file mode 100644 index 0000000000..9313c2d769 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-pass.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: nginx + name: nginx-pass + namespace: default +spec: + containers: + - image: nginx + name: test \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy-assert.yaml new file mode 100644 index 0000000000..043c65f83d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: freeze-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy.yaml new file mode 100644 index 0000000000..8469b1ac3c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: freeze-policy +spec: + validationFailureAction: Enforce + background: false + rules: + - name: freeze-rule + match: + any: + - resources: + kinds: + - "*" + namespaceSelector: + matchExpressions: + - key: freeze + operator: In + values: + - "true" + validate: + message: "Namespace is frozen." + deny: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/README.md new file mode 100644 index 0000000000..956f6a058e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/README.md @@ -0,0 +1,13 @@ +## Description + +This test mainly verifies that the operator AllNotIn does not work properly. + +## Expected Behavior + +1. The clusterpolicy is created correctly. +2. Failed to create resources in test-validate namespace because the deployment lacks of label. +3. Successfully created deployment in default because 'def*' is within the value of AllNotIn. + +## Reference Issue(s) + +5617 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..b1a6ded157 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Deployment + name: check-for-labels + preconditions: + any: + - key: '{{ request.object.metadata.namespace }}' + operator: AllNotIn + value: + - kyverno + - def* + validate: + message: label 'app.kubernetes.io/name' is required + pattern: + metadata: + labels: + app.kubernetes.io/name: ?* + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..b0bd73c54e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-03-apply-1-1.yaml new file mode 100755 index 0000000000..9c54b05a52 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-03-apply-1-1.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: nginx + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: nginx + name: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-test.yaml new file mode 100755 index 0000000000..4ce7cb109d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: operator-allnotin-01 +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - script: + content: kubectl apply -f resource.yaml + check: + # This check below ensures that the string "label ''app.kubernetes.io/name'' is required" is found in stderr or else fails + (contains($stderr, 'label \'\'app.kubernetes.io/name\'\' is required')): true + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1-1.yaml + - name: step-04 + try: + - sleep: + duration: 5s + - delete: + ref: + apiVersion: apps/v1 + kind: Deployment + name: nginx + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/resource.yaml new file mode 100644 index 0000000000..c988d4899d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/resource.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +spec: + replicas: 1 + selector: + matchLabels: + app: nginx-test + template: + metadata: + labels: + app: nginx-test + spec: + containers: + - image: nginx + name: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/README.md new file mode 100644 index 0000000000..a18f638bb5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/README.md @@ -0,0 +1,12 @@ +## Description + +This test mainly verifies that the operator AllIn work properly with the boolean comparison. + +## Expected Behavior + +1. The clusterpolicy is created correctly. +2. Failed to create resources in because the deny condition is true. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7045 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..7ab935daf4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: operator-anyin-boolean-cpol +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-commands + preconditions: + all: + - key: '{{ length(request.object.spec.containers[].livenessProbe.exec.command[] + || `[]`) }}' + operator: GreaterThan + value: 0 + - key: '{{ request.operation }}' + operator: NotEquals + value: DELETE + validate: + deny: + conditions: + any: + - key: true + operator: AnyIn + value: '{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match(''\bjcmd\b'',@) + }}' + message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes. + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 0000000000..7e920d3527 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: operator-anyin-boolean-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-test.yaml new file mode 100755 index 0000000000..73bcb0a434 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-test.yaml @@ -0,0 +1,22 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: operator-anyin-boolean +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - name: step-02 + try: + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/pod.yaml new file mode 100644 index 0000000000..ee459edcfd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/pod.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: operator-anyin-boolean-pod +spec: + containers: + - name: container01 + image: czjunkfoo + livenessProbe: + exec: + command: + - /bin/sh + - -c + - jcmd | grep Main + - name: container02 + image: czjunkfoo + - name: container03 + image: czjunkfoo + livenessProbe: + httpGet: + port: 8080 + - name: container04 + image: czjunkfoo + livenessProbe: + exec: + command: + - /bin/sh + - -c + - cat | ls -l \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/README.md new file mode 100644 index 0000000000..b9ed7e236e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/README.md @@ -0,0 +1,3 @@ +# Title + +Basic validate test to check that a violating resource cannot be created when the policy is in enforce mode. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..963db7addd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-owner +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Namespace + name: check-owner + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: ?* + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..d3fab0a660 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-owner +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-03-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-03-error-1-1.yaml new file mode 100755 index 0000000000..5ddd30bbf9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-03-error-1-1.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + cloud.platformzero.com/serviceClass: xl2 + labels: + app-type: corp + name: mytestingns diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-test.yaml new file mode 100755 index 0000000000..9f8364f2bf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: resource-apply-block +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: resource.yaml + - name: step-03 + try: + - error: + file: chainsaw-step-03-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/resource.yaml new file mode 100644 index 0000000000..0950676715 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/resource.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mytestingns + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/README.md new file mode 100644 index 0000000000..51806ff45e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/README.md @@ -0,0 +1,3 @@ +# Scaling with kubectl scale + +Validate test to check that a resource can't be scaled through the `kubectl scale` command. Related issue https://github.com/kyverno/kyverno/issues/3118 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..ddccd1ac34 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 0000000000..dbc2c6a063 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: nginx-test-scaling-policy +spec: + background: false + failurePolicy: Fail + rules: + - match: + resources: + kinds: + - Deployment/scale + names: + - nginx-test + namespaces: + - test-validate + name: validate-nginx-test + validate: + message: nginx-test needs to have 2 replicas + pattern: + spec: + replicas: 2 + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 0000000000..c092e98eb6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +spec: + replicas: 2 + selector: + matchLabels: + app: nginx-test + template: + metadata: + labels: + app: nginx-test + spec: + containers: + - image: nginx + name: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..31d63d44d0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: nginx-test-scaling-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-2.yaml new file mode 100755 index 0000000000..5d32750add --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-2.yaml @@ -0,0 +1,9 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +status: + replicas: 2 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-test.yaml new file mode 100755 index 0000000000..8234b6f5cb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-test.yaml @@ -0,0 +1,26 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: scaling-with-kubectl-scale +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-2.yaml + - name: step-02 + try: + - script: + content: kubectl scale deployment nginx-test --replicas=1 -n test-validate + check: + # This check below ensures that the string "validation error: nginx-test needs to have 2 replicas" isn't found in stderr or else fails + (contains($stderr, 'nginx-test needs to have 2 replicas')): true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml index 8d4c08681d..1e92b6ebd3 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml @@ -16,6 +16,7 @@ spec: - Pod/eviction name: deny-evict-by-label validate: + validationFailureAction: Enforce deny: conditions: all: @@ -23,4 +24,3 @@ spec: operator: Equals value: "false" message: Evicting Pods protected with the label 'evict=false' is forbidden. - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml index 84df326e27..6f56d15d0e 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml @@ -30,6 +30,7 @@ spec: operator: Equals value: CONNECT validate: + validationFailureAction: Enforce deny: conditions: all: @@ -37,4 +38,3 @@ spec: operator: Equals value: "false" message: Exec'ing into Pods protected with the label 'exec=false' is forbidden. - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml index dbc2c6a063..a958381812 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml @@ -4,7 +4,6 @@ metadata: name: nginx-test-scaling-policy spec: background: false - failurePolicy: Fail rules: - match: resources: @@ -16,8 +15,10 @@ spec: - test-validate name: validate-nginx-test validate: + validationFailureAction: Enforce message: nginx-test needs to have 2 replicas pattern: spec: replicas: 2 - validationFailureAction: Enforce + webhookConfiguration: + failurePolicy: Fail diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml index 8d0d254101..fd57acd08c 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml @@ -4,7 +4,6 @@ metadata: name: validate-csr spec: background: false - validationFailureAction: Enforce rules: - name: csr match: @@ -13,6 +12,7 @@ spec: kinds: - CertificateSigningRequest validate: + validationFailureAction: Enforce message: >- CSR created by {{ request.userInfo | to_string(@) }} with ClusterRoles {{ request.clusterRoles | to_string(@) }} @@ -31,7 +31,6 @@ metadata: name: mutate-csr spec: background: false - validationFailureAction: Enforce rules: - name: csr match: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing/policy.yaml index 2393c4e79d..ba10af7439 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-labels spec: - validationFailureAction: Enforce background: true rules: - name: check-labels @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce pattern: metadata: labels: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml index eed8b5fc16..0c796b6511 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml @@ -4,7 +4,6 @@ metadata: name: disallow-annotations spec: background: true - failurePolicy: Ignore rules: - match: all: @@ -13,6 +12,7 @@ spec: - Pod name: disallow-annotations validate: + validationFailureAction: Enforce message: One or more annotations is not allowed per the policies disallowed values list. pattern: @@ -20,5 +20,6 @@ spec: =(annotations): =(kyverno-policies-test/key): '!disallowed' X(kyverno-policies-test/disallowed): "null" - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 + webhookConfiguration: + failurePolicy: Ignore + timeoutSeconds: 30 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml index 8469b1ac3c..0741de543c 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: freeze-policy spec: - validationFailureAction: Enforce background: false rules: - name: freeze-rule @@ -19,5 +18,6 @@ spec: values: - "true" validate: + validationFailureAction: Enforce message: "Namespace is frozen." - deny: {} \ No newline at end of file + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml index b1a6ded157..76bf9e39b7 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml @@ -19,9 +19,9 @@ spec: - kyverno - def* validate: + validationFailureAction: Enforce message: label 'app.kubernetes.io/name' is required pattern: metadata: labels: app.kubernetes.io/name: ?* - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml index 7ab935daf4..a4ce233ddd 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml @@ -21,6 +21,7 @@ spec: operator: NotEquals value: DELETE validate: + validationFailureAction: Enforce deny: conditions: any: @@ -29,4 +30,3 @@ spec: value: '{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match(''\bjcmd\b'',@) }}' message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes. - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/chainsaw-step-01-apply-1-1.yaml index 963db7addd..584c269dcc 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/chainsaw-step-01-apply-1-1.yaml @@ -12,9 +12,9 @@ spec: - Namespace name: check-owner validate: + validationFailureAction: Enforce message: The `owner` label is required for all Namespaces. pattern: metadata: labels: owner: ?* - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml index dbc2c6a063..a958381812 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml @@ -4,7 +4,6 @@ metadata: name: nginx-test-scaling-policy spec: background: false - failurePolicy: Fail rules: - match: resources: @@ -16,8 +15,10 @@ spec: - test-validate name: validate-nginx-test validate: + validationFailureAction: Enforce message: nginx-test needs to have 2 replicas pattern: spec: replicas: 2 - validationFailureAction: Enforce + webhookConfiguration: + failurePolicy: Fail diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/README.md new file mode 100644 index 0000000000..60c371ca2f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a policy to validate all resources have a `foo: bar` label. +The policy matches on a wildcard but excludes a whole Namespace. +The net result should be any Namespaced resource in the excluded Namespace should not be processed. +It then creates a configmap in the default namespace that doesn't have the expected label. + + +## Expected Behavior + +The configmap should be created successfully as it is excluded by the policy. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..320cfb951a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml + - name: step-02 + try: + - apply: + file: resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/policies-assert.yaml new file mode 100644 index 0000000000..7149accf8d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/policies.yaml new file mode 100644 index 0000000000..b339516f26 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/policies.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-label +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-label + match: + any: + - resources: + kinds: + - "*" + exclude: + any: + - resources: + namespaces: + - default + preconditions: + all: + - key: "{{ request.operation }}" + operator: NotEquals + value: DELETE + validate: + message: 'Test' + pattern: + metadata: + labels: + foo: bar diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/resources.yaml new file mode 100644 index 0000000000..1746b5de27 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace(deprecated)/resources.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-name + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml index b339516f26..13d24ec21b 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-label spec: - validationFailureAction: Enforce background: false rules: - name: require-label @@ -23,6 +22,7 @@ spec: operator: NotEquals value: DELETE validate: + validationFailureAction: Enforce message: 'Test' pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/README.md new file mode 100644 index 0000000000..adf720e182 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that a ClusterPolicy with multiple custom resources validate the GVK as defined in the policy. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..13ed1c22db --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/chainsaw-test.yaml @@ -0,0 +1,31 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: gvk +spec: + steps: + - name: step-00 + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml + - name: step-01 + try: + - apply: + file: crd-1.yaml + - assert: + file: crd-ready-1.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: task.yaml + - assert: + file: task.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-1.yaml new file mode 100644 index 0000000000..f8fd7eb6eb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-1.yaml @@ -0,0 +1,890 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: dbclusters.docdb.aws.crossplane.io +spec: + group: docdb.aws.crossplane.io + names: + categories: + - crossplane + - managed + - aws + kind: DBCluster + listKind: DBClusterList + plural: dbclusters + singular: dbcluster + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: DBCluster is the Schema for the DBClusters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DBClusterSpec defines the desired state of DBCluster + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: DBClusterParameters defines the desired state of DBCluster + properties: + applyImmediately: + description: "A value that specifies whether the changes in this + request and any pending changes are asynchronously applied as + soon as possible, regardless of the PreferredMaintenanceWindow + setting for the cluster. If this parameter is set to false, + changes to the cluster are applied during the next maintenance + window. \n The ApplyImmediately parameter affects only the NewDBClusterIdentifier + and MasterUserPassword values. If you set this parameter value + to false, the changes to the NewDBClusterIdentifier and MasterUserPassword + values are applied during the next maintenance window. All other + changes are applied immediately, regardless of the value of + the ApplyImmediately parameter. \n Default: false" + type: boolean + availabilityZones: + description: A list of Amazon EC2 Availability Zones that instances + in the cluster can be created in. + items: + type: string + type: array + backupRetentionPeriod: + description: "The number of days for which automated backups are + retained. You must specify a minimum value of 1. \n Default: + 1 \n Constraints: \n * Must be a value from 1 to 35." + format: int64 + type: integer + dbClusterParameterGroupName: + description: The name of the cluster parameter group to associate + with this cluster. + type: string + dbClusterParameterGroupNameRef: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbClusterParameterGroupNameSelector: + description: A Selector selects an object. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + dbSubnetGroupName: + description: "A subnet group to associate with this cluster. \n + Constraints: Must match the name of an existing DBSubnetGroup. + Must not be default. \n Example: mySubnetgroup" + type: string + dbSubnetGroupNameRef: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbSubnetGroupNameSelector: + description: A Selector selects an object. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + deletionProtection: + description: Specifies whether this cluster can be deleted. If + DeletionProtection is enabled, the cluster cannot be deleted + unless it is modified and DeletionProtection is disabled. DeletionProtection + protects clusters from being accidentally deleted. + type: boolean + destinationRegion: + description: DestinationRegion is used for presigning the request + to a given region. + type: string + enableCloudwatchLogsExports: + description: A list of log types that need to be enabled for exporting + to Amazon CloudWatch Logs. You can enable audit logs or profiler + logs. For more information, see Auditing Amazon DocumentDB Events + (https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html) + and Profiling Amazon DocumentDB Operations (https://docs.aws.amazon.com/documentdb/latest/developerguide/profiling.html). + items: + type: string + type: array + engine: + description: "The name of the database engine to be used for this + cluster. \n Valid values: docdb" + type: string + engineVersion: + description: The version number of the database engine to use. + The --engine-version will default to the latest major engine + version. For production workloads, we recommend explicitly declaring + this parameter with the intended major engine version. + type: string + finalDBSnapshotIdentifier: + description: "The cluster snapshot identifier of the new cluster + snapshot created when SkipFinalSnapshot is set to false. \n + Specifying this parameter and also setting the SkipFinalShapshot + parameter to true results in an error. \n Constraints: \n * + Must be from 1 to 255 letters, numbers, or hyphens. \n * The + first character must be a letter. \n * Cannot end with a hyphen + or contain two consecutive hyphens." + type: string + globalClusterIdentifier: + description: The cluster identifier of the new global cluster. + type: string + kmsKeyID: + description: "The KMS key identifier for an encrypted cluster. + \n The KMS key identifier is the Amazon Resource Name (ARN) + for the KMS encryption key. If you are creating a cluster using + the same account that owns the KMS encryption key that is used + to encrypt the new cluster, you can use the KMS key alias instead + of the ARN for the KMS encryption key. \n If an encryption key + is not specified in KmsKeyId: \n * If the StorageEncrypted parameter + is true, Amazon DocumentDB uses your default encryption key. + \n KMS creates the default encryption key for your account. + Your account has a different default encryption key for each + Regions." + type: string + kmsKeyIDRef: + description: 'TODO(haarchri): when resource is bumped to beta + we will convert this field to kmsKeyIdRef' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + kmsKeyIDSelector: + description: 'TODO(haarchri): when resource is bumped to beta + we will convert this field to kmsKeyIdSelector' + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + masterUserPasswordSecretRef: + description: "MasterUserPasswordSecretRef references the secret + that contains the password for the master database user. This + password can contain any printable ASCII character except forward + slash (/), double quote (\"), or the \"at\" symbol (@). \n Constraints: + Must contain from 8 to 100 characters." + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + masterUsername: + description: "The name of the master user for the cluster. \n + Constraints: \n * Must be from 1 to 63 letters or numbers. \n + * The first character must be a letter. \n * Cannot be a reserved + word for the chosen database engine." + type: string + port: + description: The port number on which the instances in the cluster + accept connections. + format: int64 + type: integer + preSignedURL: + description: Not currently supported. + type: string + preferredBackupWindow: + description: "The daily time range during which automated backups + are created if automated backups are enabled using the BackupRetentionPeriod + parameter. \n The default is a 30-minute window selected at + random from an 8-hour block of time for each Region. \n Constraints: + \n * Must be in the format hh24:mi-hh24:mi. \n * Must be in + Universal Coordinated Time (UTC). \n * Must not conflict with + the preferred maintenance window. \n * Must be at least 30 minutes." + type: string + preferredMaintenanceWindow: + description: "The weekly time range during which system maintenance + can occur, in Universal Coordinated Time (UTC). \n Format: ddd:hh24:mi-ddd:hh24:mi + \n The default is a 30-minute window selected at random from + an 8-hour block of time for each Region, occurring on a random + day of the week. \n Valid days: Mon, Tue, Wed, Thu, Fri, Sat, + Sun \n Constraints: Minimum 30-minute window." + type: string + region: + description: Region is which region the DBCluster will be created. + type: string + skipFinalSnapshot: + description: "Determines whether a final cluster snapshot is created + before the cluster is deleted. If true is specified, no cluster + snapshot is created. If false is specified, a cluster snapshot + is created before the DB cluster is deleted. \n If SkipFinalSnapshot + is false, you must specify a FinalDBSnapshotIdentifier parameter. + \n Default: false" + type: boolean + sourceRegion: + description: SourceRegion is the source region where the resource + exists. This is not sent over the wire and is only used for + presigning. This value should always have the same region as + the source ARN. + type: string + storageEncrypted: + description: Specifies whether the cluster is encrypted. + type: boolean + tags: + description: The tags to be assigned to the cluster. + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + vpcSecurityGroupIDs: + description: A list of EC2 VPC security groups to associate with + this cluster. + items: + type: string + type: array + vpcSecurityGroupIDsRefs: + description: 'TODO(haarchri): when resource is bumped to beta + we will convert this field to vpcSecurityGroupIdRefs' + items: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution + of this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which + will attempt to resolve the reference only when the + corresponding field is not present. Use 'Always' to + resolve the reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + type: array + vpcSecurityGroupIDsSelector: + description: 'TODO(haarchri): when resource is bumped to beta + we will convert this field to vpcSecurityGroupIdSelector' + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + required: + - engine + - region + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: DBClusterStatus defines the observed state of DBCluster. + properties: + atProvider: + description: DBClusterObservation defines the observed state of DBCluster + properties: + associatedRoles: + description: Provides a list of the Identity and Access Management + (IAM) roles that are associated with the cluster. (IAM) roles + that are associated with a cluster grant permission for the + cluster to access other Amazon Web Services services on your + behalf. + items: + properties: + roleARN: + type: string + status: + type: string + type: object + type: array + clusterCreateTime: + description: Specifies the time when the cluster was created, + in Universal Coordinated Time (UTC). + format: date-time + type: string + dbClusterARN: + description: The Amazon Resource Name (ARN) for the cluster. + type: string + dbClusterIdentifier: + description: Contains a user-supplied cluster identifier. This + identifier is the unique key that identifies a cluster. + type: string + dbClusterMembers: + description: Provides the list of instances that make up the cluster. + items: + properties: + dbClusterParameterGroupStatus: + type: string + dbInstanceIdentifier: + type: string + isClusterWriter: + type: boolean + promotionTier: + format: int64 + type: integer + type: object + type: array + dbClusterParameterGroup: + description: Specifies the name of the cluster parameter group + for the cluster. + type: string + dbClusterResourceID: + description: The Region-unique, immutable identifier for the cluster. + This identifier is found in CloudTrail log entries whenever + the KMS key for the cluster is accessed. + type: string + dbSubnetGroup: + description: Specifies information on the subnet group that is + associated with the cluster, including the name, description, + and subnets in the subnet group. + type: string + earliestRestorableTime: + description: The earliest time to which a database can be restored + with point-in-time restore. + format: date-time + type: string + enabledCloudwatchLogsExports: + description: A list of log types that this cluster is configured + to export to Amazon CloudWatch Logs. + items: + type: string + type: array + endpoint: + description: Specifies the connection endpoint for the primary + instance of the cluster. + type: string + hostedZoneID: + description: Specifies the ID that Amazon Route 53 assigns when + you create a hosted zone. + type: string + latestRestorableTime: + description: Specifies the latest time to which a database can + be restored with point-in-time restore. + format: date-time + type: string + multiAZ: + description: Specifies whether the cluster has instances in multiple + Availability Zones. + type: boolean + percentProgress: + description: Specifies the progress of the operation as a percentage. + type: string + readReplicaIdentifiers: + description: Contains one or more identifiers of the secondary + clusters that are associated with this cluster. + items: + type: string + type: array + readerEndpoint: + description: "The reader endpoint for the cluster. The reader + endpoint for a cluster load balances connections across the + Amazon DocumentDB replicas that are available in a cluster. + As clients request new connections to the reader endpoint, Amazon + DocumentDB distributes the connection requests among the Amazon + DocumentDB replicas in the cluster. This functionality can help + balance your read workload across multiple Amazon DocumentDB + replicas in your cluster. \n If a failover occurs, and the Amazon + DocumentDB replica that you are connected to is promoted to + be the primary instance, your connection is dropped. To continue + sending your read workload to other Amazon DocumentDB replicas + in the cluster, you can then reconnect to the reader endpoint." + type: string + replicationSourceIdentifier: + description: Contains the identifier of the source cluster if + this cluster is a secondary cluster. + type: string + status: + description: Specifies the current state of this cluster. + type: string + vpcSecurityGroups: + description: Provides a list of virtual private cloud (VPC) security + groups that the cluster belongs to. + items: + properties: + status: + type: string + vpcSecurityGroupID: + type: string + type: object + type: array + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready-1.yaml new file mode 100644 index 0000000000..8e47b9efc1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready-1.yaml @@ -0,0 +1,4 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dbclusters.docdb.aws.crossplane.io \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready.yaml new file mode 100644 index 0000000000..8f7aaf4eea --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dbclusters.rds.aws.crossplane.io \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd.yaml new file mode 100644 index 0000000000..2a8fe07fbe --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd.yaml @@ -0,0 +1,1352 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: dbclusters.rds.aws.crossplane.io +spec: + group: rds.aws.crossplane.io + names: + categories: + - crossplane + - managed + - aws + kind: DBCluster + listKind: DBClusterList + plural: dbclusters + singular: dbcluster + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: DBCluster is the Schema for the DBClusters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DBClusterSpec defines the desired state of DBCluster + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: DBClusterParameters defines the desired state of DBCluster + properties: + applyImmediately: + description: "A value that indicates whether the modifications + in this request and any pending modifications are asynchronously + applied as soon as possible, regardless of the PreferredMaintenanceWindow + setting for the DB cluster. If this parameter is disabled, changes + to the DB cluster are applied during the next maintenance window. + \n The ApplyImmediately parameter only affects the EnableIAMDatabaseAuthentication, + MasterUserPassword values. If the ApplyImmediately parameter + is disabled, then changes to the EnableIAMDatabaseAuthentication, + MasterUserPassword values are applied during the next maintenance + window. All other changes are applied immediately, regardless + of the value of the ApplyImmediately parameter. \n By default, + this parameter is disabled." + type: boolean + autogeneratePassword: + description: "AutogeneratePassword indicates whether the controller + should generate a random password for the master user if one + is not provided via MasterUserPasswordSecretRef. \n If a password + is generated, it will be stored as a secret at the location + specified by MasterUserPasswordSecretRef." + type: boolean + availabilityZones: + description: A list of Availability Zones (AZs) where instances + in the DB cluster can be created. For information on Amazon + Web Services Regions and Availability Zones, see Choosing the + Regions and Availability Zones (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.RegionsAndAvailabilityZones.html) + in the Amazon Aurora User Guide. + items: + type: string + type: array + backtrackWindow: + description: "The target backtrack window, in seconds. To disable + backtracking, set this value to 0. \n Currently, Backtrack is + only supported for Aurora MySQL DB clusters. \n Default: 0 \n + Constraints: \n * If specified, this value must be set to a + number from 0 to 259,200 (72 hours)." + format: int64 + type: integer + backupRetentionPeriod: + description: "The number of days for which automated backups are + retained. \n Default: 1 \n Constraints: \n * Must be a value + from 1 to 35" + format: int64 + type: integer + characterSetName: + description: A value that indicates that the DB cluster should + be associated with the specified CharacterSet. + type: string + copyTagsToSnapshot: + description: A value that indicates whether to copy all tags from + the DB cluster to snapshots of the DB cluster. The default is + not to copy them. + type: boolean + databaseName: + description: The name for your database of up to 64 alphanumeric + characters. If you do not provide a name, Amazon RDS doesn't + create a database in the DB cluster you are creating. + type: string + dbClusterParameterGroupName: + description: "The name of the DB cluster parameter group to associate + with this DB cluster. If you do not specify a value, then the + default DB cluster parameter group for the specified DB engine + and version is used. \n Constraints: \n * If supplied, must + match the name of an existing DB cluster parameter group." + type: string + dbClusterParameterGroupNameRef: + description: DBClusterParameterGroupNameRef is a reference to + a DBClusterParameterGroup used to set DBClusterParameterGroupName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbClusterParameterGroupNameSelector: + description: DBClusterParameterGroupNameSelector selects a reference + to a DBClusterParameterGroup used to set DBClusterParameterGroupName. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + dbSubnetGroupName: + description: "A DB subnet group to associate with this DB cluster. + \n Constraints: Must match the name of an existing DBSubnetGroup. + Must not be default. \n Example: mySubnetgroup" + type: string + dbSubnetGroupNameRef: + description: DBSubnetGroupNameRef is a reference to a DBSubnetGroup + used to set DBSubnetGroupName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbSubnetGroupNameSelector: + description: DBSubnetGroupNameSelector selects a reference to + a DBSubnetGroup used to set DBSubnetGroupName. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + deletionProtection: + description: A value that indicates whether the DB cluster has + deletion protection enabled. The database can't be deleted when + deletion protection is enabled. By default, deletion protection + is disabled. + type: boolean + destinationRegion: + description: DestinationRegion is used for presigning the request + to a given region. + type: string + domain: + description: "The Active Directory directory ID to create the + DB cluster in. \n For Amazon Aurora DB clusters, Amazon RDS + can use Kerberos Authentication to authenticate users that connect + to the DB cluster. For more information, see Kerberos Authentication + (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/kerberos-authentication.html) + in the Amazon Aurora User Guide." + type: string + domainIAMRoleName: + description: Specify the name of the IAM role to be used when + making API calls to the Directory Service. + type: string + domainIAMRoleNameRef: + description: DomainIAMRoleNameRef is a reference to an IAMRole + used to set DomainIAMRoleName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + domainIAMRoleNameSelector: + description: DomainIAMRoleNameSelector selects a reference to + an IAMRole used to set DomainIAMRoleName. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + enableCloudwatchLogsExports: + description: "The list of log types that need to be enabled for + exporting to CloudWatch Logs. The values in the list depend + on the DB engine being used. For more information, see Publishing + Database Logs to Amazon CloudWatch Logs (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) + in the Amazon Aurora User Guide. \n Aurora MySQL \n Possible + values are audit, error, general, and slowquery. \n Aurora PostgreSQL + \n Possible value is postgresql." + items: + type: string + type: array + enableGlobalWriteForwarding: + description: "A value that indicates whether to enable this DB + cluster to forward write operations to the primary cluster of + an Aurora global database (GlobalCluster). By default, write + operations are not allowed on Aurora DB clusters that are secondary + clusters in an Aurora global database. \n You can set this value + only on Aurora DB clusters that are members of an Aurora global + database. With this parameter enabled, a secondary cluster can + forward writes to the current primary cluster and the resulting + changes are replicated back to this cluster. For the primary + DB cluster of an Aurora global database, this value is used + immediately if the primary is demoted by the FailoverGlobalCluster + API operation, but it does nothing until then." + type: boolean + enableHTTPEndpoint: + description: "A value that indicates whether to enable the HTTP + endpoint for an Aurora Serverless DB cluster. By default, the + HTTP endpoint is disabled. \n When enabled, the HTTP endpoint + provides a connectionless web service API for running SQL queries + on the Aurora Serverless DB cluster. You can also query your + database from inside the RDS console with the query editor. + \n For more information, see Using the Data API for Aurora Serverless + (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html) + in the Amazon Aurora User Guide." + type: boolean + enableIAMDatabaseAuthentication: + description: "A value that indicates whether to enable mapping + of Amazon Web Services Identity and Access Management (IAM) + accounts to database accounts. By default, mapping is disabled. + \n For more information, see IAM Database Authentication (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html) + in the Amazon Aurora User Guide." + type: boolean + engine: + description: "The name of the database engine to be used for this + DB cluster. \n Valid Values: aurora (for MySQL 5.6-compatible + Aurora), aurora-mysql (for MySQL 5.7-compatible Aurora), and + aurora-postgresql" + type: string + engineMode: + description: "The DB engine mode of the DB cluster, either provisioned, + serverless, parallelquery, global, or multimaster. \n The parallelquery + engine mode isn't required for Aurora MySQL version 1.23 and + higher 1.x versions, and version 2.09 and higher 2.x versions. + \n The global engine mode isn't required for Aurora MySQL version + 1.22 and higher 1.x versions, and global engine mode isn't required + for any 2.x versions. \n The multimaster engine mode only applies + for DB clusters created with Aurora MySQL version 5.6.10a. \n + For Aurora PostgreSQL, the global engine mode isn't required, + and both the parallelquery and the multimaster engine modes + currently aren't supported. \n Limitations and requirements + apply to some DB engine modes. For more information, see the + following sections in the Amazon Aurora User Guide: \n * Limitations + of Aurora Serverless (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.limitations) + \n * Limitations of Parallel Query (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-mysql-parallel-query.html#aurora-mysql-parallel-query-limitations) + \n * Limitations of Aurora Global Databases (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html#aurora-global-database.limitations) + \n * Limitations of Multi-Master Clusters (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-multi-master.html#aurora-multi-master-limitations)" + type: string + engineVersion: + description: "The version number of the database engine to use. + \n To list all of the available engine versions for aurora (for + MySQL 5.6-compatible Aurora), use the following command: \n + aws rds describe-db-engine-versions --engine aurora --query + \"DBEngineVersions[].EngineVersion\" \n To list all of the available + engine versions for aurora-mysql (for MySQL 5.7-compatible Aurora), + use the following command: \n aws rds describe-db-engine-versions + --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\" + \n To list all of the available engine versions for aurora-postgresql, + use the following command: \n aws rds describe-db-engine-versions + --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\" + \n Aurora MySQL \n Example: 5.6.10a, 5.6.mysql_aurora.1.19.2, + 5.7.12, 5.7.mysql_aurora.2.04.5 \n Aurora PostgreSQL \n Example: + 9.6.3, 10.7" + type: string + finalDBSnapshotIdentifier: + description: "The DB cluster snapshot identifier of the new DB + cluster snapshot created when SkipFinalSnapshot is disabled. + \n Specifying this parameter and also skipping the creation + of a final DB cluster snapshot with the SkipFinalShapshot parameter + results in an error. \n Constraints: \n * Must be 1 to 255 letters, + numbers, or hyphens. \n * First character must be a letter \n + * Can't end with a hyphen or contain two consecutive hyphens" + type: string + globalClusterIdentifier: + description: The global cluster ID of an Aurora cluster that becomes + the primary cluster in the new global database cluster. + type: string + kmsKeyID: + description: "The Amazon Web Services KMS key identifier for an + encrypted DB cluster. \n The Amazon Web Services KMS key identifier + is the key ARN, key ID, alias ARN, or alias name for the KMS + key. To use a KMS key in a different Amazon Web Services account, + specify the key ARN or alias ARN. \n When a KMS key isn't specified + in KmsKeyId: \n * If ReplicationSourceIdentifier identifies + an encrypted source, then Amazon RDS will use the KMS key used + to encrypt the source. Otherwise, Amazon RDS will use your default + KMS key. \n * If the StorageEncrypted parameter is enabled and + ReplicationSourceIdentifier isn't specified, then Amazon RDS + will use your default KMS key. \n There is a default KMS key + for your Amazon Web Services account. Your Amazon Web Services + account has a different default KMS key for each Amazon Web + Services Region. \n If you create a read replica of an encrypted + DB cluster in another Amazon Web Services Region, you must set + KmsKeyId to a KMS key identifier that is valid in the destination + Amazon Web Services Region. This KMS key is used to encrypt + the read replica in that Amazon Web Services Region." + type: string + kmsKeyIDRef: + description: KMSKeyIDRef is a reference to a KMS Key used to set + KMSKeyID. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + kmsKeyIDSelector: + description: KMSKeyIDSelector selects a reference to a KMS Key + used to set KMSKeyID. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + masterUserPasswordSecretRef: + description: "The password for the master database user. This + password can contain any printable ASCII character except \"/\", + \"\"\", or \"@\". \n Constraints: Must contain from 8 to 41 + characters. Required." + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + masterUsername: + description: "The name of the master user for the DB cluster. + \n Constraints: \n * Must be 1 to 16 letters or numbers. \n + * First character must be a letter. \n * Can't be a reserved + word for the chosen database engine." + type: string + optionGroupName: + description: "A value that indicates that the DB cluster should + be associated with the specified option group. \n Permanent + options can't be removed from an option group. The option group + can't be removed from a DB cluster once it is associated with + a DB cluster." + type: string + port: + description: "The port number on which the instances in the DB + cluster accept connections. \n Default: 3306 if engine is set + as aurora or 5432 if set to aurora-postgresql." + format: int64 + type: integer + preSignedURL: + description: "A URL that contains a Signature Version 4 signed + request for the CreateDBCluster action to be called in the source + Amazon Web Services Region where the DB cluster is replicated + from. You only need to specify PreSignedUrl when you are performing + cross-region replication from an encrypted DB cluster. \n The + pre-signed URL must be a valid request for the CreateDBCluster + API action that can be executed in the source Amazon Web Services + Region that contains the encrypted DB cluster to be copied. + \n The pre-signed URL request must contain the following parameter + values: \n * KmsKeyId - The Amazon Web Services KMS key identifier + for the KMS key to use to encrypt the copy of the DB cluster + in the destination Amazon Web Services Region. This should refer + to the same KMS key for both the CreateDBCluster action that + is called in the destination Amazon Web Services Region, and + the action contained in the pre-signed URL. \n * DestinationRegion + - The name of the Amazon Web Services Region that Aurora read + replica will be created in. \n * ReplicationSourceIdentifier + - The DB cluster identifier for the encrypted DB cluster to + be copied. This identifier must be in the Amazon Resource Name + (ARN) format for the source Amazon Web Services Region. For + example, if you are copying an encrypted DB cluster from the + us-west-2 Amazon Web Services Region, then your ReplicationSourceIdentifier + would look like Example: arn:aws:rds:us-west-2:123456789012:cluster:aurora-cluster1. + \n To learn how to generate a Signature Version 4 signed request, + see Authenticating Requests: Using Query Parameters (Amazon + Web Services Signature Version 4) (https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html) + and Signature Version 4 Signing Process (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). + \n If you are using an Amazon Web Services SDK tool or the CLI, + you can specify SourceRegion (or --source-region for the CLI) + instead of specifying PreSignedUrl manually. Specifying SourceRegion + autogenerates a pre-signed URL that is a valid request for the + operation that can be executed in the source Amazon Web Services + Region." + type: string + preferredBackupWindow: + description: "The daily time range during which automated backups + are created if automated backups are enabled using the BackupRetentionPeriod + parameter. \n The default is a 30-minute window selected at + random from an 8-hour block of time for each Amazon Web Services + Region. To view the time blocks available, see Backup window + (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Managing.Backups.BackupWindow) + in the Amazon Aurora User Guide. \n Constraints: \n * Must be + in the format hh24:mi-hh24:mi. \n * Must be in Universal Coordinated + Time (UTC). \n * Must not conflict with the preferred maintenance + window. \n * Must be at least 30 minutes." + type: string + preferredMaintenanceWindow: + description: "The weekly time range during which system maintenance + can occur, in Universal Coordinated Time (UTC). \n Format: ddd:hh24:mi-ddd:hh24:mi + \n The default is a 30-minute window selected at random from + an 8-hour block of time for each Amazon Web Services Region, + occurring on a random day of the week. To see the time blocks + available, see Adjusting the Preferred DB Cluster Maintenance + Window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow.Aurora) + in the Amazon Aurora User Guide. \n Valid Days: Mon, Tue, Wed, + Thu, Fri, Sat, Sun. \n Constraints: Minimum 30-minute window." + type: string + region: + description: Region is which region the DBCluster will be created. + type: string + replicationSourceIdentifier: + description: The Amazon Resource Name (ARN) of the source DB instance + or DB cluster if this DB cluster is created as a read replica. + type: string + restoreFrom: + description: RestoreFrom specifies the details of the backup to + restore when creating a new DBCluster. + properties: + s3: + description: S3 specifies the details of the S3 backup to + restore from. + properties: + bucketName: + description: BucketName is the name of the S3 bucket containing + the backup to restore. + type: string + ingestionRoleARN: + description: IngestionRoleARN is the IAM role RDS can + assume that will allow it to access the contents of + the S3 bucket. + type: string + prefix: + description: Prefix is the path prefix of the S3 bucket + within which the backup to restore is located. + type: string + sourceEngine: + description: SourceEngine is the engine used to create + the backup. Must be "mysql". + type: string + sourceEngineVersion: + description: 'SourceEngineVersion is the version of the + engine used to create the backup. Example: "5.7.30"' + type: string + required: + - bucketName + - ingestionRoleARN + - sourceEngine + - sourceEngineVersion + type: object + source: + description: Source is the type of the backup to restore when + creating a new DBCluster. Only S3 is supported at present. + type: string + required: + - source + type: object + scalingConfiguration: + description: For DB clusters in serverless DB engine mode, the + scaling properties of the DB cluster. + properties: + autoPause: + type: boolean + maxCapacity: + format: int64 + type: integer + minCapacity: + format: int64 + type: integer + secondsBeforeTimeout: + format: int64 + type: integer + secondsUntilAutoPause: + format: int64 + type: integer + timeoutAction: + type: string + type: object + skipFinalSnapshot: + description: "A value that indicates whether to skip the creation + of a final DB cluster snapshot before the DB cluster is deleted. + If skip is specified, no DB cluster snapshot is created. If + skip isn't specified, a DB cluster snapshot is created before + the DB cluster is deleted. By default, skip isn't specified, + and the DB cluster snapshot is created. By default, this parameter + is disabled. \n You must specify a FinalDBSnapshotIdentifier + parameter if SkipFinalSnapshot is disabled." + type: boolean + sourceRegion: + description: SourceRegion is the source region where the resource + exists. This is not sent over the wire and is only used for + presigning. This value should always have the same region as + the source ARN. + type: string + storageEncrypted: + description: A value that indicates whether the DB cluster is + encrypted. + type: boolean + tags: + description: Tags to assign to the DB cluster. + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + vpcSecurityGroupIDRefs: + description: VPCSecurityGroupIDRefs are references to VPCSecurityGroups + used to set the VPCSecurityGroupIDs. + items: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution + of this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which + will attempt to resolve the reference only when the + corresponding field is not present. Use 'Always' to + resolve the reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + type: array + vpcSecurityGroupIDSelector: + description: VPCSecurityGroupIDSelector selects references to + VPCSecurityGroups used to set the VPCSecurityGroupIDs. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + vpcSecurityGroupIDs: + description: A list of EC2 VPC security groups to associate with + this DB cluster. + items: + type: string + type: array + required: + - engine + - masterUserPasswordSecretRef + - region + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: DBClusterStatus defines the observed state of DBCluster. + properties: + atProvider: + description: DBClusterObservation defines the observed state of DBCluster + properties: + activityStreamKMSKeyID: + description: "The Amazon Web Services KMS key identifier used + for encrypting messages in the database activity stream. \n + The Amazon Web Services KMS key identifier is the key ARN, key + ID, alias ARN, or alias name for the KMS key." + type: string + activityStreamKinesisStreamName: + description: The name of the Amazon Kinesis data stream used for + the database activity stream. + type: string + activityStreamMode: + description: The mode of the database activity stream. Database + events such as a change or access generate an activity stream + event. The database session can handle these events either synchronously + or asynchronously. + type: string + activityStreamStatus: + description: The status of the database activity stream. + type: string + allocatedStorage: + description: For all database engines except Amazon Aurora, AllocatedStorage + specifies the allocated storage size in gibibytes (GiB). For + Aurora, AllocatedStorage always returns 1, because Aurora DB + cluster storage size isn't fixed, but instead automatically + adjusts as needed. + format: int64 + type: integer + associatedRoles: + description: Provides a list of the Amazon Web Services Identity + and Access Management (IAM) roles that are associated with the + DB cluster. IAM roles that are associated with a DB cluster + grant permission for the DB cluster to access other Amazon Web + Services on your behalf. + items: + properties: + featureName: + type: string + roleARN: + type: string + status: + type: string + type: object + type: array + automaticRestartTime: + description: The time when a stopped DB cluster is restarted automatically. + format: date-time + type: string + backtrackConsumedChangeRecords: + description: The number of change records stored for Backtrack. + format: int64 + type: integer + capacity: + description: "The current capacity of an Aurora Serverless DB + cluster. The capacity is 0 (zero) when the cluster is paused. + \n For more information about Aurora Serverless, see Using Amazon + Aurora Serverless (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html) + in the Amazon Aurora User Guide." + format: int64 + type: integer + cloneGroupID: + description: Identifies the clone group to which the DB cluster + is associated. + type: string + clusterCreateTime: + description: Specifies the time when the DB cluster was created, + in Universal Coordinated Time (UTC). + format: date-time + type: string + crossAccountClone: + description: Specifies whether the DB cluster is a clone of a + DB cluster owned by a different Amazon Web Services account. + type: boolean + customEndpoints: + description: Identifies all custom endpoints associated with the + cluster. + items: + type: string + type: array + dbClusterARN: + description: The Amazon Resource Name (ARN) for the DB cluster. + type: string + dbClusterIdentifier: + description: Contains a user-supplied DB cluster identifier. This + identifier is the unique key that identifies a DB cluster. + type: string + dbClusterMembers: + description: Provides the list of instances that make up the DB + cluster. + items: + properties: + dbClusterParameterGroupStatus: + type: string + dbInstanceIdentifier: + type: string + isClusterWriter: + type: boolean + promotionTier: + format: int64 + type: integer + type: object + type: array + dbClusterOptionGroupMemberships: + description: Provides the list of option group memberships for + this DB cluster. + items: + properties: + dbClusterOptionGroupName: + type: string + status: + type: string + type: object + type: array + dbClusterParameterGroup: + description: Specifies the name of the DB cluster parameter group + for the DB cluster. + type: string + dbClusterResourceID: + description: The Amazon Web Services Region-unique, immutable + identifier for the DB cluster. This identifier is found in Amazon + Web Services CloudTrail log entries whenever the KMS key for + the DB cluster is accessed. + type: string + dbSubnetGroup: + description: Specifies information on the subnet group associated + with the DB cluster, including the name, description, and subnets + in the subnet group. + type: string + domainMemberships: + description: The Active Directory Domain membership records associated + with the DB cluster. + items: + properties: + domain: + type: string + fQDN: + type: string + iamRoleName: + type: string + status: + type: string + type: object + type: array + earliestBacktrackTime: + description: The earliest time to which a DB cluster can be backtracked. + format: date-time + type: string + earliestRestorableTime: + description: The earliest time to which a database can be restored + with point-in-time restore. + format: date-time + type: string + enabledCloudwatchLogsExports: + description: "A list of log types that this DB cluster is configured + to export to CloudWatch Logs. \n Log types vary by DB engine. + For information about the log types for each DB engine, see + Amazon RDS Database Log Files (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html) + in the Amazon Aurora User Guide." + items: + type: string + type: array + endpoint: + description: Specifies the connection endpoint for the primary + instance of the DB cluster. + type: string + globalWriteForwardingRequested: + description: Specifies whether you have requested to enable write + forwarding for a secondary cluster in an Aurora global database. + Because write forwarding takes time to enable, check the value + of GlobalWriteForwardingStatus to confirm that the request has + completed before using the write forwarding feature for this + cluster. + type: boolean + globalWriteForwardingStatus: + description: Specifies whether a secondary cluster in an Aurora + global database has write forwarding enabled, not enabled, or + is in the process of enabling it. + type: string + hostedZoneID: + description: Specifies the ID that Amazon Route 53 assigns when + you create a hosted zone. + type: string + httpEndpointEnabled: + description: "A value that indicates whether the HTTP endpoint + for an Aurora Serverless DB cluster is enabled. \n When enabled, + the HTTP endpoint provides a connectionless web service API + for running SQL queries on the Aurora Serverless DB cluster. + You can also query your database from inside the RDS console + with the query editor. \n For more information, see Using the + Data API for Aurora Serverless (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html) + in the Amazon Aurora User Guide." + type: boolean + iamDatabaseAuthenticationEnabled: + description: A value that indicates whether the mapping of Amazon + Web Services Identity and Access Management (IAM) accounts to + database accounts is enabled. + type: boolean + latestRestorableTime: + description: Specifies the latest time to which a database can + be restored with point-in-time restore. + format: date-time + type: string + multiAZ: + description: Specifies whether the DB cluster has instances in + multiple Availability Zones. + type: boolean + percentProgress: + description: Specifies the progress of the operation as a percentage. + type: string + readReplicaIdentifiers: + description: Contains one or more identifiers of the read replicas + associated with this DB cluster. + items: + type: string + type: array + readerEndpoint: + description: "The reader endpoint for the DB cluster. The reader + endpoint for a DB cluster load-balances connections across the + Aurora Replicas that are available in a DB cluster. As clients + request new connections to the reader endpoint, Aurora distributes + the connection requests among the Aurora Replicas in the DB + cluster. This functionality can help balance your read workload + across multiple Aurora Replicas in your DB cluster. \n If a + failover occurs, and the Aurora Replica that you are connected + to is promoted to be the primary instance, your connection is + dropped. To continue sending your read workload to other Aurora + Replicas in the cluster, you can then reconnect to the reader + endpoint." + type: string + scalingConfigurationInfo: + properties: + autoPause: + type: boolean + maxCapacity: + format: int64 + type: integer + minCapacity: + format: int64 + type: integer + secondsBeforeTimeout: + format: int64 + type: integer + secondsUntilAutoPause: + format: int64 + type: integer + timeoutAction: + type: string + type: object + status: + description: Specifies the current state of this DB cluster. + type: string + tagList: + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + vpcSecurityGroups: + description: Provides a list of VPC security groups that the DB + cluster belongs to. + items: + properties: + status: + type: string + vpcSecurityGroupID: + type: string + type: object + type: array + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..cbe2042e1b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: rds-enforce-final-snapshot +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy.yaml new file mode 100644 index 0000000000..8c8c08359d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: rds-enforce-final-snapshot +spec: + validationFailureAction: Enforce + rules: + - name: rds-enforce-final-snapshot + match: + all: + - resources: + kinds: + - rds.aws.crossplane.io/v1alpha1/DBCluster + validate: + message: "Final snapshot must not be skipped" + pattern: + spec: + forProvider: + =(skipFinalSnapshot): "false" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/task.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/task.yaml new file mode 100644 index 0000000000..eef6a56fd9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/task.yaml @@ -0,0 +1,9 @@ +apiVersion: docdb.aws.crossplane.io/v1alpha1 +kind: DBCluster +metadata: + name: db-cluster-not-skipping-final-snapshot +spec: + forProvider: + skipFinalSnapshot: false + region: eu-central-1 + engine: docdb \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml index 8c8c08359d..1e00345fbc 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: rds-enforce-final-snapshot spec: - validationFailureAction: Enforce rules: - name: rds-enforce-final-snapshot match: @@ -12,6 +11,7 @@ spec: kinds: - rds.aws.crossplane.io/v1alpha1/DBCluster validate: + validationFailureAction: Enforce message: "Final snapshot must not be skipped" pattern: spec: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/README.md new file mode 100644 index 0000000000..6e28f30c43 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy to deny pod updates. +It then creates a pod and updates it. + +## Expected Behavior + +The pod should create fine but the update should be rejected. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..c8ecfcb5b2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/chainsaw-test.yaml @@ -0,0 +1,22 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: only-update +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: pod-create.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-update.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/pod-create.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/pod-create.yaml new file mode 100644 index 0000000000..4ddda0a666 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/pod-create.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/pod-update.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/pod-update.yaml new file mode 100644 index 0000000000..19fa300b03 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/pod-update.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + labels: + xxx: yyy +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..5ede705d48 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/policy.yaml new file mode 100644 index 0000000000..5947cbbbdb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update(deprecated)/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +spec: + validationFailureAction: Enforce + background: false + rules: + - name: test + match: + any: + - resources: + kinds: + - Pod + operations: + - UPDATE + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml index 5947cbbbdb..e9f365b4eb 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: test spec: - validationFailureAction: Enforce background: false rules: - name: test @@ -15,4 +14,5 @@ spec: operations: - UPDATE validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/README.md new file mode 100644 index 0000000000..cf6f5690d2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/README.md @@ -0,0 +1,9 @@ +## Description + +This test create two policies: +- one that denies `Deployment/scale` in Audit mode +- one that denies `StatefulSet/scale` in Enforce mode + +It then create a statefulset and a deployment. + +Finally it tries to create the statefulset and expects failure, the, scales the deployment and expects success. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/chainsaw-test.yaml new file mode 100755 index 0000000000..e33542ef91 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: subresource +spec: + steps: + - name: step-01 + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml + - name: step-02 + try: + - apply: + file: resources.yaml + - name: step-03 + try: + - script: + content: "if kubectl scale deployment nginx-deployment --replicas 2\nthen + \n exit 0\nelse \n exit 1\nfi\n" + - script: + content: "if kubectl scale sts nginx-sts --replicas 2\nthen \n exit 1\nelse + \n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies-assert.yaml new file mode 100644 index 0000000000..4626275f4d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies-assert.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-scale-deployment +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-scale-statefulset +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies.yaml new file mode 100644 index 0000000000..70a00d0ad4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-scale-deployment + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: deny-scale-deployment + match: + any: + - resources: + kinds: + - Deployment/scale + validate: + deny: {} +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-scale-statefulset + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-scale-statefulset + match: + any: + - resources: + kinds: + - StatefulSet/scale + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/resources.yaml new file mode 100644 index 0000000000..d559fd3862 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/resources.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: default + labels: + app: nginx-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: nginx-deployment + template: + metadata: + labels: + app: nginx-deployment + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: nginx-sts + namespace: default + labels: + app: nginx-sts +spec: + replicas: 1 + selector: + matchLabels: + app: nginx-sts + template: + metadata: + labels: + app: nginx-sts + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml index 70a00d0ad4..66b778304e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: deny-scale-deployment @@ -15,6 +14,7 @@ spec: kinds: - Deployment/scale validate: + validationFailureAction: Audit deny: {} --- apiVersion: kyverno.io/v1 @@ -24,7 +24,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce background: false rules: - name: deny-scale-statefulset @@ -34,4 +33,5 @@ spec: kinds: - StatefulSet/scale validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..b88c2d9055 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/chainsaw-test.yaml @@ -0,0 +1,41 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: conditions +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - name: step-03 + try: + - delete: + ref: + apiVersion: v1 + kind: Pod + name: test + timeout: 1m0s + - apply: + file: policy-2.yaml + - name: step-04 + try: + - apply: + expect: + - check: + ($error != null): true + file: pod-good.yaml + - apply: + file: pod-bad.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-bad.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-bad.yaml new file mode 100644 index 0000000000..30cfb1118b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-bad.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: other +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:unsigned + name: test \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-good.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-good.yaml new file mode 100644 index 0000000000..2d3d102a7a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-good.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:unsigned + name: test \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-2.yaml new file mode 100644 index 0000000000..8392ae1b59 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-2.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: preconditions +spec: + validationFailureAction: Enforce + background: false + rules: + - name: test + match: + any: + - resources: + kinds: + - Pod + context: + - name: nothere + apiCall: + urlPath: /api/v1/namespaces/missing/configmaps/nothere + validate: + deny: + conditions: + all: + - key: "{{ request.name }}" + operator: Equals + value: test + message: this pod is not allowed + - key: "{{ nothere }}" + operator: Equals + value: hello + message: value mismatch \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..199f8746dc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: preconditions +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy.yaml new file mode 100644 index 0000000000..66a01a5123 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: preconditions +spec: + admission: true + background: false + rules: + - context: + - apiCall: + method: GET + urlPath: /api/v1/namespaces/missing/configmaps/nothere + name: nothere + match: + any: + - resources: + kinds: + - Pod + name: test + preconditions: + any: + - key: '{{ request.name }}' + message: this pod is not allowed + operator: Equals + value: test + - key: '{{ nothere }}' + message: value mismatch + operator: Equals + value: hello + validate: + pattern: + metadata: + name: '*' + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/README.md new file mode 100644 index 0000000000..56d72502a9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies a variable definition is not evaluated until the condition is used + +## Expected Behavior + +The policy should not cause an error if the first condition (any) passes. The policy should cause an error if the first condition (all) fails. + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/7211 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/policy.yaml index 66a01a5123..3c71b12ddc 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/policy.yaml @@ -28,7 +28,7 @@ spec: operator: Equals value: hello validate: + validationFailureAction: Enforce pattern: metadata: name: '*' - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/README.md new file mode 100644 index 0000000000..5a825e7038 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/README.md @@ -0,0 +1,3 @@ +## Description + +Basic validate test to check that a verify-image policy cannot be created when the policy has wildcard(*) included in match any/all resource block. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..5e80b4845e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/chainsaw-test.yaml @@ -0,0 +1,14 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-verifyimage +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/policy.yaml new file mode 100644 index 0000000000..ca98a584f0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image +spec: + validationFailureAction: Enforce + background: false + rules: + - name: verify-image + match: + any: + - resources: + kinds: + - "*" + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:*" + mutateDigest: true + attestors: + - entries: + - keys: + publicKeys: | + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml index ca98a584f0..9f320c0af2 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: verify-image spec: - validationFailureAction: Enforce background: false rules: - name: verify-image