diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-assert.yaml new file mode 100644 index 0000000000..075d398147 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-manifests.yaml new file mode 100644 index 0000000000..4ed1605aab --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-manifests.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-cm-lookup +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: test-cm-lookup + name: keys +data: + foo: bar +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-labels +spec: + validationFailureAction: audit + background: true + rules: + - name: validate-labels + match: + any: + - resources: + kinds: + - Pod + context: + - name: keys + configMap: + name: keys + namespace: test-cm-lookup + validate: + pattern: + metadata: + labels: + foo: "{{ keys.data.foo }}" \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-assert.yaml new file mode 100644 index 0000000000..cd6d198362 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-cm-lookup-pod + namespace: test-cm-lookup \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-goodpod.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-goodpod.yaml new file mode 100644 index 0000000000..74097529b4 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-goodpod.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-cm-lookup-pod + namespace: test-cm-lookup + labels: + foo: bar +spec: + containers: + - image: nginx + name: test-cm-lookup \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/03-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/03-assert.yaml new file mode 100644 index 0000000000..d5f9565351 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/03-assert.yaml @@ -0,0 +1,21 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + namespace: test-cm-lookup +results: +- policy: validate-labels + resources: + - apiVersion: v1 + kind: Pod + name: test-cm-lookup-pod + namespace: test-cm-lookup + result: pass + rule: validate-labels +summary: + error: 0 + fail: 0 + pass: 1 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/99-cleanup.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/99-cleanup.yaml new file mode 100644 index 0000000000..61b7555976 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml,02-goodpod.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md new file mode 100644 index 0000000000..cf94c9703b --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md @@ -0,0 +1,11 @@ +## Description + +The configmap context lookup uses informer's cache internally, the background processing should use the same to resolve configmap context without crashing Kyverno. + +## Expected Behavior + +Policy is created successfully and the report is generated properly. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5704 \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml new file mode 100644 index 0000000000..8719f9010a --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image-with-multi-keys +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml new file mode 100644 index 0000000000..3bcdfc2b50 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: default + name: keys +data: + org: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/ + 50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A== + -----END PUBLIC KEY----- + org1: + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/ + 50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A== + -----END PUBLIC KEY----- +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image-with-multi-keys + annotations: + policies.kyverno.io/title: Verify Image with Multiple Keys + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.7.0 + kyverno.io/kyverno-version: 1.7.2 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + There may be multiple keys used to sign images based on + the parties involved in the creation process. This image + verification policy requires the named image be signed by + two separate keys. It will search for a global "production" + key in a ConfigMap called `key` in the `default` Namespace + and also a Namespace key in the same ConfigMap. +spec: + validationFailureAction: enforce + background: true + rules: + - name: check-image-with-two-keys + match: + any: + - resources: + kinds: + - Pod + context: + - name: keys + configMap: + name: keys + namespace: default + verifyImages: + - image: "*" + key: "{{ keys.data.org }}" \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/99-cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/README.md new file mode 100644 index 0000000000..73e0b53bb4 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/README.md @@ -0,0 +1,13 @@ +## Description + +The configmap context lookup uses informer's cache internally, the background processing should use the same to resolve configmap context without crashing Kyverno. + +This is the second test for configmap lookup, see `test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md` for another. + +## Expected Behavior + +Policy is expected to be successfully created AND not result in an internal panic. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5704 \ No newline at end of file