diff --git a/pkg/kyverno/apply/apply_command_test.go b/pkg/kyverno/apply/apply_command_test.go index a2bcf4c0c0..e7a3e6c36b 100644 --- a/pkg/kyverno/apply/apply_command_test.go +++ b/pkg/kyverno/apply/apply_command_test.go @@ -45,9 +45,25 @@ func Test_Apply(t *testing.T) { }, }, }, + { + PolicyPaths: []string{"../../../test/cli/apply/policies"}, + ResourcePaths: []string{"../../../test/cli/apply/resource"}, + expectedPolicyReports: []preport.PolicyReport{ + { + Summary: preport.PolicyReportSummary{ + Pass: 1, + Fail: 1, + Skip: 4, + Error: 0, + Warn: 0, + }, + }, + }, + }, } compareSummary := func(expected preport.PolicyReportSummary, actual map[string]interface{}) { + assert.Assert(t, actual[preport.StatusPass].(int64) == int64(expected.Pass)) assert.Assert(t, actual[preport.StatusFail].(int64) == int64(expected.Fail)) assert.Assert(t, actual[preport.StatusSkip].(int64) == int64(expected.Skip)) diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index 8460933724..d80cff5260 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -735,6 +735,26 @@ func GetResourceAccordingToResourcePath(fs billy.Filesystem, resourcePaths []str } } } else if (len(resourcePaths) > 0 && resourcePaths[0] != "-") || len(resourcePaths) < 0 || cluster { + + fileDesc, err := os.Stat(resourcePaths[0]) + if err != nil { + return nil, err + } + if fileDesc.IsDir() { + + files, err := ioutil.ReadDir(resourcePaths[0]) + if err != nil { + return nil, sanitizederror.NewWithError(fmt.Sprintf("failed to parse %v", resourcePaths[0]), err) + } + listOfFiles := make([]string, 0) + for _, file := range files { + ext := filepath.Ext(file.Name()) + if ext == ".yaml" || ext == ".yml" { + listOfFiles = append(listOfFiles, filepath.Join(resourcePaths[0], file.Name())) + } + } + resourcePaths = listOfFiles + } resources, err = GetResources(policies, resourcePaths, dClient, cluster, namespace, policyReport) if err != nil { return resources, err diff --git a/test/cli/apply/policies/policy.yaml b/test/cli/apply/policies/policy.yaml new file mode 100644 index 0000000000..0b84e4aad5 --- /dev/null +++ b/test/cli/apply/policies/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + policies.kyverno.io/category: Best Practices + policies.kyverno.io/description: >- + The ':latest' tag is mutable and can lead to unexpected errors if the + image changes. A best practice is to use an immutable tag that maps to + a specific version of an application pod. +spec: + validationFailureAction: audit + rules: + - name: validate-image-tag + match: + resources: + kinds: + - Pod + validate: + message: "Using a mutable image tag e.g. 'latest' is not allowed." + pattern: + spec: + containers: + - image: "!*:latest" \ No newline at end of file diff --git a/test/cli/apply/resource/resources.yaml b/test/cli/apply/resource/resources.yaml new file mode 100644 index 0000000000..36d9edad1a --- /dev/null +++ b/test/cli/apply/resource/resources.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-require-image-tag-fail + labels: + app: app +spec: + containers: + - name: nginx + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-validate-image-tag-ignore + labels: + app: app +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/test/policy.yaml b/test/policy.yaml deleted file mode 100644 index 8439ce5744..0000000000 --- a/test/policy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: who-created-this -spec: - background: false - failurePolicy: Ignore - rules: - - name: who-created-this - match: - all: - - resources: - kinds: - - "*" - mutate: - patchStrategicMerge: - metadata: - annotations: - test: "app" \ No newline at end of file diff --git a/test/resources.yaml b/test/resources.yaml deleted file mode 100644 index e3a78a39c5..0000000000 --- a/test/resources.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: test-require-image-tag-pass -spec: - containers: - - name: nginx - image: nginx:latest \ No newline at end of file