Add Chainsaw Test for Conditional Anchor (#9295) (#9304)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-12-28 13:16:31 +00:00 · 2023-12-28 13:16:31 +00:00 · 5f9ed6f0f8
commit 5f9ed6f0f8
parent ccb05b3a7d
6 changed files with 135 additions and 0 deletions
--- a/test/conformance/chainsaw/validate/anchors/conditional/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/validate/anchors/conditional/chainsaw-test.yaml
@ -0,0 +1,39 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: conditional-anchor
+spec:
+  steps:
+    - name: apply-namespace
+      try:
+        - apply:
+            file: namespace.yaml
+    - name: apply-policy
+      try:
+        - apply:
+            file: policy.yaml
+        - assert:
+            file: policy-ready.yaml
+    - name: apply-labelled-resource
+      try:
+        - apply:
+            file: labelled-resource.yaml
+    - name: apply-unlabelled-resource
+      try:
+        - apply:
+            file: unlabelled-resource.yaml
+    - name: apply-scaling
+      try:
+        - script:
+            content:
+              "if kubectl -n test-anchors scale deployment labelled-deployment --replicas 2\nthen
+              \n  exit 0\nelse \n  exit 1\nfi\n"
+        - script:
+            content:
+              "if kubectl -n test-anchors scale deployment labelled-deployment --replicas 9\nthen
+              \n  exit 1\nelse \n  exit 0\nfi\n"
+        - script:
+            content:
+              "if kubectl -n test-anchors scale deployment unlabelled-deployment --replicas 9\nthen
+              \n  exit 0\nelse \n  exit 1\nfi\n"
--- a/test/conformance/chainsaw/validate/anchors/conditional/labelled-resource.yaml
+++ b/test/conformance/chainsaw/validate/anchors/conditional/labelled-resource.yaml
@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+    type: monitoring
+  name: labelled-deployment
+  namespace: test-anchors
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+      type: monitoring
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: busybox
+        type: monitoring
+    spec:
+      containers:
+        - name: busybox
+          image: busybox:1.35
--- a/test/conformance/chainsaw/validate/anchors/conditional/namespace.yaml
+++ b/test/conformance/chainsaw/validate/anchors/conditional/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-anchors
--- a/test/conformance/chainsaw/validate/anchors/conditional/policy-ready.yaml
+++ b/test/conformance/chainsaw/validate/anchors/conditional/policy-ready.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-scale
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml
+++ b/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml
@ -0,0 +1,38 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: restrict-scale
+  annotations:
+    policies.kyverno.io/title: Restrict Scale
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.9.0
+    policies.kyverno.io/minversion: 1.9.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/subject: Deployment
+    policies.kyverno.io/description: >-
+      Pod controllers such as Deployments which implement replicas and permit the scale action
+      use a `/scale` subresource to control this behavior. In addition to checks for creations of
+      such controllers that their replica is in a certain shape, the scale operation and subresource
+      needs to be accounted for as well. This policy, operable beginning in Kyverno 1.9, is a collection
+      of rules which can be used to limit the replica count both upon creation of a Deployment and
+      when a scale operation is performed.
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    # This rule can be used to limit scale operations based upon Deployment labels assuming the given label
+    # is also used as a selector.
+    - name: scale-max-eight
+      match:
+        any:
+          - resources:
+              kinds:
+                - Deployment/scale
+      validate:
+        message: The replica count for this Deployment may not exceed 8.
+        pattern:
+          (status):
+            (selector): "*type=monitoring*"
+          spec:
+            replicas: <9
--- a/test/conformance/chainsaw/validate/anchors/conditional/unlabelled-resource.yaml
+++ b/test/conformance/chainsaw/validate/anchors/conditional/unlabelled-resource.yaml
@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: unlabelled-deployment
+  namespace: test-anchors
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+        - name: busybox
+          image: busybox:1.35