feat: add chainsaw test for policy webhook based configuration (#9645)

* feat: add chainsaw test for policy webhook based configuration

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

test/conformance/chainsaw/webhook-configurations/webhook-registeration/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks fine-grained webhook configuration is synced to admission webhooks.
+
+## Expected Behavior
+
+When a policy is created, a webhook rule is automatically created with the same `matchConditions` as configured in the policy. The corresponding webhook rule will be deleted when the policy is deleted.
+
+## Reference Issue(s)
+
+#9111

test/conformance/chainsaw/webhook-configurations/webhook-registeration/chainsaw-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: webhook-registeration
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - assert:
+        file: webhook.yaml
+  - name: step-03
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: cpol-fine-grained-match-conditions-disallow-latest-image-tag-1
+  - name: step-04
+    try:
+    - error:
+        file: webhook.yaml

test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cpol-fine-grained-match-conditions-disallow-latest-image-tag-1
+status:
+  conditions:
+    - reason: Succeeded
+      status: "True"
+      type: Ready

test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+  name: cpol-fine-grained-match-conditions-disallow-latest-image-tag-1
+spec:
+  admission: true
+  background: true
+  webhookConfiguration:
+    matchConditions:
+    - name: 'exclude-requests-by-groups'
+      expression: '!("system:nodes" in request.userInfo.groups)' 
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: require-image-tag
+    validate:
+      message: An image tag is required
+      pattern:
+        spec:
+          containers:
+          - image: '*:*'
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: validate-image-tag
+    validate:
+      message: Using a mutable image tag e.g. 'latest' is not allowed
+      pattern:
+        spec:
+          containers:
+          - image: '!*:latest'
+  validationFailureAction: Enforce
+  failurePolicy: Ignore

test/conformance/chainsaw/webhook-configurations/webhook-registeration/webhook.yaml

@@ -0,0 +1,27 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    webhook.kyverno.io/managed-by: kyverno
+  name: kyverno-resource-validating-webhook-cfg
+webhooks:
+- failurePolicy: Ignore
+  matchConditions:
+  - expression: '!("system:nodes" in request.userInfo.groups)'
+    name: exclude-requests-by-groups
+  matchPolicy: Equivalent
+  name: validate.kyverno.svc-ignore-finegrained-cpol-fine-grained-match-conditions-disallow-latest-image-tag-1
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    - CONNECT
+    resources:
+    - pods
+    - pods/ephemeralcontainers
+    scope: Namespaced