feat: add kuttl tests for #5704 (#5707)

* add kuttl tests for #5704 Signed-off-by: ShutingZhao <shuting@nirmata.com> * address comments Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2022-12-16 22:18:48 +08:00 · 2022-12-16 22:18:48 +08:00 · 69739f3778
commit 69739f3778
parent a80ee683c1
11 changed files with 178 additions and 0 deletions
--- a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-assert.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-labels
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-manifests.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-manifests.yaml
@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-cm-lookup
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: test-cm-lookup
+  name: keys
+data:
+  foo: bar
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-labels
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: validate-labels
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      context:
+      - name: keys
+        configMap:
+          name: keys
+          namespace: test-cm-lookup
+      validate:
+        pattern:
+          metadata:
+            labels:
+              foo: "{{ keys.data.foo }}"
--- a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-assert.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-assert.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-cm-lookup-pod
+  namespace: test-cm-lookup
--- a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-goodpod.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-goodpod.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-cm-lookup-pod
+  namespace: test-cm-lookup
+  labels:
+    foo: bar
+spec:
+  containers:
+  - image: nginx
+    name: test-cm-lookup
--- a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/03-assert.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/03-assert.yaml
@ -0,0 +1,21 @@
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: PolicyReport
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  namespace: test-cm-lookup
+results:
+- policy: validate-labels
+  resources:
+  - apiVersion: v1
+    kind: Pod
+    name: test-cm-lookup-pod
+    namespace: test-cm-lookup
+  result: pass
+  rule: validate-labels
+summary:
+  error: 0
+  fail: 0
+  pass: 1
+  skip: 0
+  warn: 0
--- a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/99-cleanup.yaml
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/99-cleanup.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml,02-goodpod.yaml --force --wait=true --ignore-not-found=true
--- a/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md
@ -0,0 +1,11 @@
+## Description
+
+The configmap context lookup uses informer's cache internally, the background processing should use the same to resolve configmap context without crashing Kyverno.
+
+## Expected Behavior
+
+Policy is created successfully and the report is generated properly.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/5704
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: verify-image-with-multi-keys
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml
@ -0,0 +1,54 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: default
+  name: keys
+data:
+  org: |-
+    -----BEGIN PUBLIC KEY-----
+    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/
+    50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A==
+    -----END PUBLIC KEY-----    
+  org1:
+    -----BEGIN PUBLIC KEY-----
+    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/
+    50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A==
+    -----END PUBLIC KEY-----
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: verify-image-with-multi-keys
+  annotations:
+    policies.kyverno.io/title: Verify Image with Multiple Keys
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.7.0
+    kyverno.io/kyverno-version: 1.7.2
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/description: >-
+      There may be multiple keys used to sign images based on
+      the parties involved in the creation process. This image
+      verification policy requires the named image be signed by
+      two separate keys. It will search for a global "production"
+      key in a ConfigMap called `key` in the `default` Namespace
+      and also a Namespace key in the same ConfigMap.
+spec:
+  validationFailureAction: enforce
+  background: true
+  rules:
+    - name: check-image-with-two-keys
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      context:
+      - name: keys
+        configMap:
+          name: keys
+          namespace: default
+      verifyImages:
+        - image: "*"
+          key: "{{ keys.data.org }}"
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/99-cleanup.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/99-cleanup.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/README.md
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/configmap-context-lookup/README.md
@ -0,0 +1,13 @@
+## Description
+
+The configmap context lookup uses informer's cache internally, the background processing should use the same to resolve configmap context without crashing Kyverno.
+
+This is the second test for configmap lookup, see `test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md` for another.
+
+## Expected Behavior
+
+Policy is expected to be successfully created AND not result in an internal panic.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/5704