mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
chore: add more chainsaw tests for generate.foreach (#11140)
* chore: rename tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * tests: add cpol-data-sync-update-policy Signed-off-by: ShutingZhao <shuting@nirmata.com> * tests: add cpol-data-sync-update-target Signed-off-by: ShutingZhao <shuting@nirmata.com> * tests: add cpol-clone-sync-update-source Signed-off-by: ShutingZhao <shuting@nirmata.com> * tests: add cpol-clone-sync-update-target Signed-off-by: ShutingZhao <shuting@nirmata.com> * tests: add cpol-clone-list-sync-update-source Signed-off-by: ShutingZhao <shuting@nirmata.com> * tests: rename vars in cpol-clone-list-sync-update-source Signed-off-by: ShutingZhao <shuting@nirmata.com> * tests: add cpol-clone-list-sync-update-target Signed-off-by: ShutingZhao <shuting@nirmata.com> * tests: add test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create Signed-off-by: ShutingZhao <shuting@nirmata.com> * tests: add cpol-clone-list-sync-create Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting
GitHub
parent
b0588afba1
commit
65782d37f8
80 changed files with 1395 additions and 4 deletions
|
|
@ -51,6 +51,7 @@ func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule {
|
|||
rule.DeepCopyInto(new)
|
||||
new.Generation.Synchronize = true
|
||||
new.Generation.SetData(nil)
|
||||
new.Generation.ForEachGeneration = nil
|
||||
new.Generation.OrphanDownstreamOnPolicyDelete = true
|
||||
return new
|
||||
}
|
||||
|
|
|
|||
|
|
@ -45,16 +45,16 @@
|
|||
"^generate$/^clusterpolicy$/^cornercases$/^(cpol-data-sync-to-nosync-delete-rule-deprecated|cpol-data-trigger-not-present|data-role-and-rolebinding|generate-event-upon-edit|pod-restart-on-cm-update|pod-restart-on-cm-update-deprecated|trigger-resource-name-exceeds-63-characters)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^clone$/^multiple$/^sync$/^(basic-create)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^clone$/^nosync$/^(cpol-clone-nosync-create|cpol-clone-nosync-delete-downstream|cpol-clone-nosync-delete-policy|cpol-clone-nosync-delete-rule|cpol-clone-nosync-delete-source|cpol-clone-nosync-delete-trigger|cpol-clone-nosync-modify-downstream|cpol-clone-nosync-modify-source|cpol-clone-nosync-update-trigger-no-match)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-list-sync-create|cpol-clone-list-sync-create-deprecated|cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update|cpol-clone-list-sync-update-deprecated|cpol-clone-sync-create|cpol-clone-sync-delete-downstream|cpol-clone-sync-delete-policy|cpol-clone-sync-delete-rule|cpol-clone-sync-delete-source|cpol-clone-sync-delete-trigger|cpol-clone-sync-existing-update-trigger-no-precondition|cpol-clone-sync-existing-update-trigger-no-precondition-deprecated|cpol-clone-sync-modify-downstream|cpol-clone-sync-modify-downstream-apply|cpol-clone-sync-modify-source|cpol-clone-sync-no-existing-update-trigger-no-precondition|cpol-clone-sync-update-trigger-no-match)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-list-sync-create|cpol-clone-list-sync-create-deprecated|cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update-deprecated|cpol-clone-list-sync-update-source|cpol-clone-sync-create|cpol-clone-sync-delete-downstream|cpol-clone-sync-delete-policy|cpol-clone-sync-delete-rule|cpol-clone-sync-delete-source|cpol-clone-sync-delete-trigger|cpol-clone-sync-existing-update-trigger-no-precondition|cpol-clone-sync-existing-update-trigger-no-precondition-deprecated|cpol-clone-sync-modify-downstream|cpol-clone-sync-modify-downstream-apply|cpol-clone-sync-modify-source|cpol-clone-sync-no-existing-update-trigger-no-precondition|cpol-clone-sync-update-trigger-no-match)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^data$/^nosync$/^(cpol-data-nosync-delete-downstream|cpol-data-nosync-delete-policy|cpol-data-nosync-delete-rule|cpol-data-nosync-delete-trigger|cpol-data-nosync-modify-downstream|cpol-data-nosync-modify-rule|cpol-data-nosync-update-trigger-no-match|generate-on-subresource-trigger)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^data$/^nosync-deprecated$/^(cpol-data-nosync-delete-downstream|cpol-data-nosync-delete-policy|cpol-data-nosync-delete-rule|cpol-data-nosync-modify-downstream|cpol-data-nosync-modify-rule|generate-on-subresource-trigger)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-downstream|cpol-data-sync-delete-one-trigger|cpol-data-sync-delete-policy|cpol-data-sync-delete-rule|cpol-data-sync-delete-trigger|cpol-data-sync-existing-update-trigger-no-precondition|cpol-data-sync-modify-downstream|cpol-data-sync-modify-policy|cpol-data-sync-modify-rule|cpol-data-sync-mutate-and-generate|cpol-data-sync-no-existing-update-trigger-no-precondition|cpol-data-sync-orphan-downstream-delete-policy|cpol-data-sync-update-trigger-no-match)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^data$/^sync-deprecated$/^(cpol-data-sync-create|cpol-data-sync-delete-downstream|cpol-data-sync-delete-policy|cpol-data-sync-delete-rule|cpol-data-sync-existing-update-trigger-no-precondition|cpol-data-sync-modify-downstream|cpol-data-sync-modify-rule|cpol-data-sync-orphan-downstream-delete-policy)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^existing$/^(different-configurations-for-generate-existing|different-generate-existing-values|different-generate-existing-values-reorder|existing-basic-add-rule-data|existing-basic-create-policy-data|existing-basic-create-policy-preconditions-data|existing-with-wildcard-name-matching)\\[.*\\]$",
|
||||
"^generate$/^clusterpolicy$/^standard$/^existing-deprecated$/^(existing-basic-add-rule-data|existing-basic-create-policy-data|existing-basic-create-policy-preconditions-data)\\[.*\\]$",
|
||||
"^generate$/^foreach$/^clusterpolicy$/^clone$/^sync$/^(cpol-clone-list-sync-delete-source|cpol-clone-sync-create|cpol-clone-sync-create-delete-source)\\[.*\\]$",
|
||||
"^generate$/^foreach$/^clusterpolicy$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-policy)\\[.*\\]$",
|
||||
"^generate$/^foreach$/^existing$/^(cpol-clone-sync-create)\\[.*\\]$",
|
||||
"^generate$/^foreach$/^clusterpolicy$/^clone$/^sync$/^(cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update-source|cpol-clone-list-sync-update-target|cpol-clone-sync-create|cpol-clone-sync-create-delete-source|cpol-clone-sync-update-source|cpol-clone-sync-update-target)\\[.*\\]$",
|
||||
"^generate$/^foreach$/^clusterpolicy$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-policy|cpol-data-sync-update-policy|cpol-data-sync-update-target)\\[.*\\]$",
|
||||
"^generate$/^foreach$/^existing$/^(cpol-clone-list-sync-create|cpol-clone-sync-create|cpol-data-sync-create)\\[.*\\]$",
|
||||
"^generate$/^policy$/^cornercases$/^(pol-clone-create-on-trigger-deletion|pol-clone-sync-create-source-after-policy|pol-data-create-on-trigger-deletion)\\[.*\\]$",
|
||||
"^generate$/^policy$/^standard$/^clone$/^nosync$/^(pol-clone-nosync-create|pol-clone-nosync-delete-downstream|pol-clone-nosync-delete-policy|pol-clone-nosync-delete-rule|pol-clone-nosync-delete-source|pol-clone-nosync-delete-trigger|pol-clone-nosync-invalid|pol-clone-nosync-modify-downstream|pol-clone-nosync-modify-source|pol-clone-nosync-update-trigger-no-match)\\[.*\\]$",
|
||||
"^generate$/^policy$/^standard$/^clone$/^sync$/^(pol-clone-sync-delete-downstream|pol-clone-sync-delete-policy|pol-clone-sync-delete-rule|pol-clone-sync-delete-source|pol-clone-sync-delete-trigger|pol-clone-sync-invalid|pol-clone-sync-modify-downstream|pol-clone-sync-modify-source|pol-clone-sync-update-trigger-no-match)\\[.*\\]$",
|
||||
|
|
|
|||
|
|
@ -0,0 +1,58 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:cpol-clone-list-sync-update-source
|
||||
labels:
|
||||
rbac.kyverno.io/aggregate-to-background-controller: "true"
|
||||
rbac.kyverno.io/aggregate-to-admission-controller: "true"
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-source-existing-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-1
|
||||
namespace: foreach-cpol-clone-list-sync-update-source-existing-ns
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "false"
|
||||
location: europe
|
||||
name: mysecret-2
|
||||
namespace: foreach-cpol-clone-list-sync-update-source-existing-ns
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-source-target-ns-1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-source-target-ns-2
|
||||
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-source
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
context:
|
||||
- name: configmapns
|
||||
variable:
|
||||
jmesPath: request.object.metadata.namespace
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{configmapns}}'
|
||||
operator: Equals
|
||||
value: '{{request.object.metadata.namespace}}'
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-cpol-clone-list-sync-update-source-target-ns-1
|
||||
namespace: '{{ ns }}'
|
||||
cloneList:
|
||||
kinds:
|
||||
- v1/Secret
|
||||
namespace: foreach-cpol-clone-list-sync-update-source-existing-ns
|
||||
selector:
|
||||
matchLabels:
|
||||
allowedToBeCloned: "true"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-source
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-source-trigger-ns
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: foreach-cpol-clone-list-sync-update-source-trigger-ns
|
||||
data:
|
||||
namespaces: foreach-cpol-clone-list-sync-update-source-target-ns-1,foreach-cpol-clone-list-sync-update-source-target-ns-2
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-1
|
||||
namespace: foreach-cpol-clone-list-sync-update-source-target-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-2
|
||||
namespace: foreach-cpol-clone-list-sync-update-source-target-ns-2
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bm90LWJhcg==
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-1
|
||||
namespace: foreach-cpol-clone-list-sync-update-source-existing-ns
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bm90LWJhcg==
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-1
|
||||
namespace: foreach-cpol-clone-list-sync-update-source-target-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
## Description
|
||||
|
||||
This test checks the synchronize behavior for a "generate foreach cloneList" policy upon source changes.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
1. trigger the standard policy, expect a secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1` to be cloned.
|
||||
2. update the source secret, expect changes to be synced to the cloned secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1`.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/3542
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-clone-list-sync-delete-source
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: 1-0-existing.yaml
|
||||
- apply:
|
||||
file: 1-1-policy.yaml
|
||||
- assert:
|
||||
file: 1-2-policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: 2-1-trigger.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- assert:
|
||||
file: 3-1-target-expected.yaml
|
||||
- error:
|
||||
file: 3-2-target-none-expected.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: 4-1-update-source.yaml
|
||||
- assert:
|
||||
file: 4-2-updated-target.yaml
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:cpol-clone-list-sync-update-target
|
||||
labels:
|
||||
rbac.kyverno.io/aggregate-to-background-controller: "true"
|
||||
rbac.kyverno.io/aggregate-to-admission-controller: "true"
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-target-existing-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-1
|
||||
namespace: foreach-cpol-clone-list-sync-update-target-existing-ns
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "false"
|
||||
location: europe
|
||||
name: mysecret-2
|
||||
namespace: foreach-cpol-clone-list-sync-update-target-existing-ns
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-target-target-ns-1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-target-target-ns-2
|
||||
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-target
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
context:
|
||||
- name: configmapns
|
||||
variable:
|
||||
jmesPath: request.object.metadata.namespace
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{configmapns}}'
|
||||
operator: Equals
|
||||
value: '{{request.object.metadata.namespace}}'
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-cpol-clone-list-sync-update-target-target-ns-1
|
||||
namespace: '{{ ns }}'
|
||||
cloneList:
|
||||
kinds:
|
||||
- v1/Secret
|
||||
namespace: foreach-cpol-clone-list-sync-update-target-existing-ns
|
||||
selector:
|
||||
matchLabels:
|
||||
allowedToBeCloned: "true"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-target
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-cpol-clone-list-sync-update-target-trigger-ns
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: foreach-cpol-clone-list-sync-update-target-trigger-ns
|
||||
data:
|
||||
namespaces: foreach-cpol-clone-list-sync-update-target-target-ns-1,foreach-cpol-clone-list-sync-update-target-target-ns-2
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-1
|
||||
namespace: foreach-cpol-clone-list-sync-update-target-target-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bm90LWJhcg==
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-1
|
||||
namespace: foreach-cpol-clone-list-sync-update-target-target-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
## Description
|
||||
|
||||
This test checks the synchronize behavior for a "generate foreach cloneList" policy upon target changes.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
1. trigger the standard policy, expect a secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1` to be cloned.
|
||||
2. update the target cloned secret, expect changes to be reverted to the cloned secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1`.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/3542
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-clone-list-sync-delete-source
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: 1-0-existing.yaml
|
||||
- apply:
|
||||
file: 1-1-policy.yaml
|
||||
- assert:
|
||||
file: 1-2-policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: 2-1-trigger.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- assert:
|
||||
file: 3-1-target-expected.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: 4-1-update-target.yaml
|
||||
- assert:
|
||||
file: 3-1-target-expected.yaml
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:cpol-clone-sync-update-source
|
||||
labels:
|
||||
rbac.kyverno.io/aggregate-to-background-controller: "true"
|
||||
rbac.kyverno.io/aggregate-to-admission-controller: "true"
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-ns-1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-ns-2
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: source-secret
|
||||
namespace: default
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-clone-sync-update-source
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
context:
|
||||
- name: configmapns
|
||||
variable:
|
||||
jmesPath: request.object.metadata.namespace
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{configmapns}}'
|
||||
operator: Equals
|
||||
value: 'default'
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-ns-1
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: cloned-secret-{{ elementIndex }}-{{ ns }}
|
||||
namespace: '{{ ns }}'
|
||||
clone:
|
||||
namespace: default
|
||||
name: source-secret
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-clone-sync-update-source
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: default
|
||||
data:
|
||||
namespaces: foreach-ns-1,foreach-ns-2
|
||||
fo: bar
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cloned-secret-0-foreach-ns-1
|
||||
namespace: foreach-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cloned-secret-0-foreach-ns-2
|
||||
namespace: foreach-ns-2
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bm90LWJhcg==
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: source-secret
|
||||
namespace: default
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bm90LWJhcg==
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cloned-secret-0-foreach-ns-1
|
||||
namespace: foreach-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
## Description
|
||||
|
||||
This test checks the synchronize behavior for a "generate foreach clone" policy upon source changes.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
1. trigger the standard policy, expect a secret `foreach-ns-1/cloned-secret-0-foreach-ns-1` to be cloned.
|
||||
2. update the source secret, expect changes to be synced to the target secret `foreach-ns-1/cloned-secret-0-foreach-ns-1`.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/3542
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-data-sync-create
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: 1-1-source.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: 2-1-policy.yaml
|
||||
- assert:
|
||||
file: 2-2-policy-assert.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: 3-1-trigger.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: 4-1-cloned-target.yaml
|
||||
- error:
|
||||
file: 4-2-no-cloned-target.yaml
|
||||
- name: step-05
|
||||
try:
|
||||
- apply:
|
||||
file: 5-1-update-source.yaml
|
||||
- assert:
|
||||
file: 5-2-updated-target.yaml
|
||||
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:cpol-clone-sync-update-target
|
||||
labels:
|
||||
rbac.kyverno.io/aggregate-to-background-controller: "true"
|
||||
rbac.kyverno.io/aggregate-to-admission-controller: "true"
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-ns-1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-ns-2
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: source-secret
|
||||
namespace: default
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-clone-sync-update-target
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
context:
|
||||
- name: configmapns
|
||||
variable:
|
||||
jmesPath: request.object.metadata.namespace
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{configmapns}}'
|
||||
operator: Equals
|
||||
value: 'default'
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-ns-1
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: cloned-secret-{{ elementIndex }}-{{ ns }}
|
||||
namespace: '{{ ns }}'
|
||||
clone:
|
||||
namespace: default
|
||||
name: source-secret
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-clone-sync-update-target
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: default
|
||||
data:
|
||||
namespaces: foreach-ns-1,foreach-ns-2
|
||||
fo: bar
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cloned-secret-0-foreach-ns-1
|
||||
namespace: foreach-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bm90LWJhcg==
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cloned-secret-0-foreach-ns-1
|
||||
namespace: foreach-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
## Description
|
||||
|
||||
This test checks the synchronize behavior for a "generate foreach clone" policy upon target changes.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
1. trigger the standard policy, expect a secret `foreach-ns-1/cloned-secret-0-foreach-ns-1` to be cloned.
|
||||
2. update the cloned secret, expect changes to be reverted to the cloned secret `foreach-ns-1/cloned-secret-0-foreach-ns-1`.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/3542
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-data-sync-create
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: 1-1-source.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: 2-1-policy.yaml
|
||||
- assert:
|
||||
file: 2-2-policy-assert.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: 3-1-trigger.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: 4-1-cloned-target.yaml
|
||||
- name: step-05
|
||||
try:
|
||||
- apply:
|
||||
file: 5-1-update-target.yaml
|
||||
- assert:
|
||||
file: 4-1-cloned-target.yaml
|
||||
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-data-sync-update-policy
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
orphanDownstreamOnPolicyDelete: false
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-ns-1
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
name: my-networkpolicy-{{ elementIndex }}-{{ ns }}
|
||||
namespace: '{{ ns }}'
|
||||
data:
|
||||
metadata:
|
||||
labels:
|
||||
request.namespace: '{{ request.object.metadata.name }}'
|
||||
element.namespace: '{{ ns }}'
|
||||
element.name: '{{ element }}'
|
||||
elementIndex: '{{ elementIndex }}'
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-data-sync-update-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-ns-1
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: default
|
||||
data:
|
||||
namespaces: foreach-ns-1
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: my-networkpolicy-0-foreach-ns-1
|
||||
namespace: foreach-ns-1
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-data-sync-update-policy
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
orphanDownstreamOnPolicyDelete: false
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-ns-1
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
name: my-networkpolicy-{{ elementIndex }}-{{ ns }}-new
|
||||
namespace: '{{ ns }}'
|
||||
data:
|
||||
metadata:
|
||||
labels:
|
||||
request.namespace: '{{ request.object.metadata.name }}'
|
||||
element.namespace: '{{ ns }}'
|
||||
element.name: '{{ element }}'
|
||||
elementIndex: '{{ elementIndex }}'
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: my-networkpolicy-0-foreach-ns-1-new
|
||||
namespace: foreach-ns-1
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-data-sync-update-policy
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
orphanDownstreamOnPolicyDelete: false
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-ns-1
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
name: my-networkpolicy-{{ elementIndex }}-{{ ns }}-new
|
||||
namespace: '{{ ns }}'
|
||||
data:
|
||||
metadata:
|
||||
labels:
|
||||
request.namespace: '{{ request.object.metadata.name }}'
|
||||
element.namespace: '{{ ns }}'
|
||||
element.name: '{{ element }}'
|
||||
elementIndex: '{{ elementIndex }}'
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: my-networkpolicy-0-foreach-ns-1-new
|
||||
namespace: foreach-ns-1
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
## Description
|
||||
|
||||
This test checks the synchronize behavior for a "generate foreach data" policy upon policy changes.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
1. create the standard policy, expect a netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1` to be created.
|
||||
2. change the target name in `spec.rules.generate.foreach.name`, expect a new netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1-new` to be created.
|
||||
3. change the data block in `spec.rules.generate.foreach.data`, expect the above netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1-new` to be updated.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/3542
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-data-sync-create
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: 1-1-policy.yaml
|
||||
- assert:
|
||||
file: 1-2-policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: 2-1-trigger.yaml
|
||||
- assert:
|
||||
file: 2-2-netpol.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: 3-1-update-policy.yaml
|
||||
- assert:
|
||||
file: 1-2-policy-assert.yaml
|
||||
- assert:
|
||||
file: 3-2-netpol.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: 4-1-update-policy.yaml
|
||||
- assert:
|
||||
file: 1-2-policy-assert.yaml
|
||||
- assert:
|
||||
file: 4-2-netpol.yaml
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-data-sync-update-policy
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
orphanDownstreamOnPolicyDelete: false
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-ns-1
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
name: my-networkpolicy-{{ elementIndex }}-{{ ns }}
|
||||
namespace: '{{ ns }}'
|
||||
data:
|
||||
metadata:
|
||||
labels:
|
||||
request.namespace: '{{ request.object.metadata.name }}'
|
||||
element.namespace: '{{ ns }}'
|
||||
element.name: '{{ element }}'
|
||||
elementIndex: '{{ elementIndex }}'
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-cpol-data-sync-update-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-ns-1
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: default
|
||||
data:
|
||||
namespaces: foreach-ns-1
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: my-networkpolicy-0-foreach-ns-1
|
||||
namespace: foreach-ns-1
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: my-networkpolicy-0-foreach-ns-1
|
||||
namespace: foreach-ns-1
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
## Description
|
||||
|
||||
This test checks the synchronize behavior for a "generate foreach data" policy upon target changes.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
1. create the standard policy, expect a netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1` to be created.
|
||||
2. change the target resource, expect changes in netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1-new` to be reverted.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/3542
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-data-sync-create
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: 1-1-policy.yaml
|
||||
- assert:
|
||||
file: 1-2-policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: 2-1-trigger.yaml
|
||||
- assert:
|
||||
file: 2-2-netpol.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: 3-1-update-target.yaml
|
||||
- assert:
|
||||
file: 2-2-netpol.yaml
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:cpol-clone-list-sync-create
|
||||
labels:
|
||||
rbac.kyverno.io/aggregate-to-background-controller: "true"
|
||||
rbac.kyverno.io/aggregate-to-admission-controller: "true"
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-existing-cpol-clone-list-sync-create-existing-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-1
|
||||
namespace: foreach-existing-cpol-clone-list-sync-create-existing-ns
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "false"
|
||||
location: europe
|
||||
name: mysecret-2
|
||||
namespace: foreach-existing-cpol-clone-list-sync-create-existing-ns
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-existing-cpol-clone-list-sync-create-target-ns-1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-existing-cpol-clone-list-sync-create-target-ns-2
|
||||
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-existing-cpol-clone-list-sync-create-trigger-ns
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: foreach-existing-cpol-clone-list-sync-create-trigger-ns
|
||||
data:
|
||||
namespaces: foreach-existing-cpol-clone-list-sync-create-target-ns-1,foreach-existing-cpol-clone-list-sync-create-target-ns-2
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-existing-cpol-clone-list-sync-create
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
context:
|
||||
- name: configmapns
|
||||
variable:
|
||||
jmesPath: request.object.metadata.namespace
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{configmapns}}'
|
||||
operator: Equals
|
||||
value: '{{request.object.metadata.namespace}}'
|
||||
generate:
|
||||
generateExisting: true
|
||||
synchronize: true
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-existing-cpol-clone-list-sync-create-target-ns-1
|
||||
namespace: '{{ ns }}'
|
||||
cloneList:
|
||||
kinds:
|
||||
- v1/Secret
|
||||
namespace: foreach-existing-cpol-clone-list-sync-create-existing-ns
|
||||
selector:
|
||||
matchLabels:
|
||||
allowedToBeCloned: "true"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: foreach-existing-cpol-clone-list-sync-create
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-1
|
||||
namespace: foreach-existing-cpol-clone-list-sync-create-target-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret-2
|
||||
namespace: foreach-existing-cpol-clone-list-sync-create-target-ns-2
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks the generateExisting behavior for a "generate foreach cloneList" policy upon policy creation.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
1. when a policy is created with `generate.generateExisting: true`, expect target netpol `foreach-existing-cpol-clone-list-sync-create-target-ns-1/mysecret-1`to be created.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/3542
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-clone-list-sync-delete-source
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: 0-0-existing.yaml
|
||||
- apply:
|
||||
file: 0-1-trigger.yaml
|
||||
- apply:
|
||||
file: 1-1-policy.yaml
|
||||
- assert:
|
||||
file: 1-2-policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- assert:
|
||||
file: 2-1-target-expected.yaml
|
||||
- error:
|
||||
file: 2-2-target-none-expected.yaml
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-ns-1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: foreach-ns-2
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: default
|
||||
data:
|
||||
namespaces: foreach-ns-1,foreach-ns-2
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: zk-kafka-address-foreach-cpol-data-sync-create
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: k-kafka-address
|
||||
context:
|
||||
- name: configmapns
|
||||
variable:
|
||||
jmesPath: request.object.metadata.namespace
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{configmapns}}'
|
||||
operator: Equals
|
||||
value: 'default'
|
||||
generate:
|
||||
generateExisting: true
|
||||
synchronize: true
|
||||
foreach:
|
||||
- list: request.object.data.namespaces | split(@, ',')
|
||||
context:
|
||||
- name: ns
|
||||
variable:
|
||||
jmesPath: element
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ ns }}'
|
||||
operator: AnyIn
|
||||
value:
|
||||
- foreach-ns-1
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
name: my-networkpolicy-{{ elementIndex }}-{{ ns }}
|
||||
namespace: '{{ ns }}'
|
||||
data:
|
||||
metadata:
|
||||
labels:
|
||||
request.namespace: '{{ request.object.metadata.name }}'
|
||||
element.namespace: '{{ ns }}'
|
||||
element.name: '{{ element }}'
|
||||
elementIndex: '{{ elementIndex }}'
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: zk-kafka-address-foreach-cpol-data-sync-create
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: my-networkpolicy-0-foreach-ns-1
|
||||
namespace: foreach-ns-1
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: my-networkpolicy-0-foreach-ns-2
|
||||
namespace: foreach-ns-2
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks the generateExisting behavior for a "generate foreach data" policy upon policy creation.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
1. when a policy is created with `generate.generateExisting: true`, expect target netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1`to be created.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/3542
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-data-sync-create
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: 1-0-existing.yaml
|
||||
- apply:
|
||||
file: 1-1-policy.yaml
|
||||
- assert:
|
||||
file: 1-2-policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- assert:
|
||||
file: 2-2-netpol.yaml
|
||||
- error:
|
||||
file: 2-3-netpol.yaml
|
||||
Loading…
Reference in a new issue