From 6d3dd4f4fed0c81d9e0bfd169ec446fa7457ac25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 24 Nov 2023 01:02:22 +0100 Subject: [PATCH] chore: migrate tests to chainsaw (#8997) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: migrate tests to chainsaw Signed-off-by: Charles-Edouard Brétéché * cleanup Signed-off-by: Charles-Edouard Brétéché * cleanup Signed-off-by: Charles-Edouard Brétéché * fix: exec timeout Signed-off-by: Charles-Edouard Brétéché * exceptions Signed-off-by: Charles-Edouard Brétéché * exceptions Signed-off-by: Charles-Edouard Brétéché * filter Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- .github/workflows/conformance.yaml | 8 +- test/conformance/chainsaw/_config/common.yaml | 1 + .../clusterpolicy/cleanup-pod/01-rbac.yaml | 12 +++ .../clusterpolicy/cleanup-pod/02-pod.yaml | 14 ++++ .../clusterpolicy/cleanup-pod/03-policy.yaml | 14 ++++ .../clusterpolicy/cleanup-pod/04-sleep.yaml | 14 ++++ .../clusterpolicy/cleanup-pod/05-check.yaml | 11 +++ .../clusterpolicy/cleanup-pod/README.md | 9 +++ .../clusterpolicy/cleanup-pod/pod-assert.yaml | 5 ++ .../clusterpolicy/cleanup-pod/pod.yaml | 9 +++ .../clusterpolicy/cleanup-pod/policy.yaml | 20 +++++ .../clusterpolicy/cleanup-pod/rbac.yaml | 26 +++++++ .../context-cleanup-pod/01-rbac.yaml | 12 +++ .../context-cleanup-pod/02-pod.yaml | 14 ++++ .../context-cleanup-pod/03-policy.yaml | 14 ++++ .../context-cleanup-pod/04-sleep.yaml | 14 ++++ .../context-cleanup-pod/05-check.yaml | 11 +++ .../context-cleanup-pod/README.md | 9 +++ .../context-cleanup-pod/pod-assert.yaml | 5 ++ .../context-cleanup-pod/pod.yaml | 9 +++ .../context-cleanup-pod/policy.yaml | 28 +++++++ .../context-cleanup-pod/rbac.yaml | 26 +++++++ .../cleanup/policy/cleanup-pod/01-rbac.yaml | 12 +++ .../cleanup/policy/cleanup-pod/02-pod.yaml | 14 ++++ .../cleanup/policy/cleanup-pod/03-policy.yaml | 14 ++++ .../cleanup/policy/cleanup-pod/04-sleep.yaml | 14 ++++ .../cleanup/policy/cleanup-pod/05-check.yaml | 11 +++ .../cleanup/policy/cleanup-pod/README.md | 10 +++ .../policy/cleanup-pod/pod-assert.yaml | 5 ++ .../cleanup/policy/cleanup-pod/pod.yaml | 9 +++ .../cleanup/policy/cleanup-pod/policy.yaml | 18 +++++ .../cleanup/policy/cleanup-pod/rbac.yaml | 26 +++++++ .../validation/cron-format/01-policy.yaml | 14 ++++ .../cron-format/02-clusterpolicy.yaml | 14 ++++ .../cron-format/03-invalidpolicy.yaml | 10 +++ .../cleanup/validation/cron-format/README.md | 4 + .../validation/cron-format/clusterpolicy.yaml | 16 ++++ .../validation/cron-format/invalidpolicy.yaml | 17 +++++ .../validation/cron-format/policy.yaml | 17 +++++ .../01-cleanuppolicy.yaml | 18 +++++ .../no-user-info-in-match/README.md | 8 ++ .../cleanuppolicy-with-clusterroles.yaml | 13 ++++ .../cleanuppolicy-with-roles.yaml | 13 ++++ .../cleanuppolicy-with-subjects.yaml | 14 ++++ .../01-cleanup-policy.yaml | 14 ++++ .../cleanuppolicy-with-configmap.yaml | 25 +++++++ .../cleanuppolicy-with-image-registry.yaml | 24 ++++++ .../dependencies/01-apply-manifests.yaml | 14 ++++ .../deferred/dependencies/02-testcase.yaml | 10 +++ .../chainsaw/deferred/dependencies/README.md | 12 +++ .../deferred/dependencies/deploy.yaml | 28 +++++++ .../deferred/dependencies/manifests.yaml | 73 +++++++++++++++++++ .../deferred/dependencies/policy-assert.yaml | 9 +++ .../chainsaw/deferred/foreach/01-apply.yaml | 14 ++++ .../deferred/foreach/02-testcase.yaml | 14 ++++ .../chainsaw/deferred/foreach/README.md | 11 +++ .../chainsaw/deferred/foreach/cm-assert.yaml | 8 ++ .../chainsaw/deferred/foreach/cm.yaml | 4 + .../chainsaw/deferred/foreach/manifests.yaml | 44 +++++++++++ .../deferred/foreach/policy-assert.yaml | 9 +++ .../deferred/recursive/01-policy.yaml | 14 ++++ .../deferred/recursive/02-resource.yaml | 14 ++++ .../chainsaw/deferred/recursive/README.md | 7 ++ .../deferred/recursive/policy-assert.yaml | 9 +++ .../chainsaw/deferred/recursive/policy.yaml | 26 +++++++ .../deferred/recursive/resource-assert.yaml | 6 ++ .../chainsaw/deferred/recursive/resource.yaml | 4 + .../resolve-overriden-variable/01-policy.yaml | 14 ++++ .../02-resource.yaml | 14 ++++ .../resolve-overriden-variable/README.md | 9 +++ .../policy-assert.yaml | 9 +++ .../resolve-overriden-variable/policy.yaml | 33 +++++++++ .../resource-assert.yaml | 6 ++ .../resolve-overriden-variable/resource.yaml | 4 + .../deferred/two-rules/01-policy.yaml | 14 ++++ .../deferred/two-rules/02-resource.yaml | 14 ++++ .../chainsaw/deferred/two-rules/README.md | 13 ++++ .../deferred/two-rules/policy-assert.yaml | 9 +++ .../chainsaw/deferred/two-rules/policy.yaml | 35 +++++++++ .../deferred/two-rules/resource-assert.yaml | 7 ++ .../chainsaw/deferred/two-rules/resource.yaml | 4 + .../allows-rejects-creation/01-policy.yaml | 13 ++++ .../allows-rejects-creation/02-exception.yaml | 11 +++ .../allows-rejects-creation/03-configmap.yaml | 19 +++++ .../allows-rejects-creation/README.md | 13 ++++ .../configmap-allowed.yaml | 4 + .../configmap-rejected.yaml | 4 + .../allows-rejects-creation/exception.yaml | 16 ++++ .../policy-assert.yaml | 9 +++ .../allows-rejects-creation/policy.yaml | 20 +++++ .../applies-to-delete/01-policy.yaml | 13 ++++ .../applies-to-delete/02-exception.yaml | 11 +++ .../applies-to-delete/03-namespace.yaml | 11 +++ .../applies-to-delete/04-deployment.yaml | 11 +++ .../applies-to-delete/05-delete.yaml | 14 ++++ .../exceptions/applies-to-delete/README.md | 13 ++++ .../applies-to-delete/deployment.yaml | 23 ++++++ .../applies-to-delete/exception.yaml | 19 +++++ .../applies-to-delete/namespace.yaml | 4 + .../applies-to-delete/policy-assert.yaml | 9 +++ .../exceptions/applies-to-delete/policy.yaml | 18 +++++ .../standard/01-exception.yaml | 19 +++++ .../background-mode/standard/README.md | 11 +++ .../standard/exception-allowed.yaml | 18 +++++ .../standard/exception-rejected.yaml | 18 +++++ .../exceptions/conditions/01-policy.yaml | 11 +++ .../exceptions/conditions/02-exception.yaml | 11 +++ .../exceptions/conditions/03-deployment.yaml | 15 ++++ .../exceptions/conditions/04-sleep.yaml | 13 ++++ .../chainsaw/exceptions/conditions/README.md | 12 +++ .../exceptions/conditions/bad-deployment.yaml | 49 +++++++++++++ .../exceptions/conditions/exception.yaml | 21 ++++++ .../conditions/good-deployment.yaml | 51 +++++++++++++ .../exceptions/conditions/policy.yaml | 22 ++++++ .../exceptions/events-creation/01-policy.yaml | 13 ++++ .../events-creation/02-exception.yaml | 20 +++++ .../events-creation/03-manifests.yaml | 15 ++++ .../exceptions/events-creation/04-sleep.yaml | 13 ++++ .../exceptions/events-creation/05-assert.yaml | 24 ++++++ .../exceptions/events-creation/README.md | 14 ++++ .../events-creation/policy-assert.yaml | 9 +++ .../exceptions/events-creation/policy.yaml | 31 ++++++++ .../only-for-specific-user/01-policy.yaml | 13 ++++ .../only-for-specific-user/02-exception.yaml | 11 +++ .../only-for-specific-user/03-configmap.yaml | 13 ++++ .../only-for-specific-user/README.md | 15 ++++ .../only-for-specific-user/configmap.yaml | 4 + .../only-for-specific-user/exception.yaml | 20 +++++ .../only-for-specific-user/policy-assert.yaml | 9 +++ .../only-for-specific-user/policy.yaml | 20 +++++ .../exceptions/with-wildcard/01-policy.yaml | 13 ++++ .../with-wildcard/02-exception.yaml | 11 +++ .../with-wildcard/03-configmap.yaml | 19 +++++ .../exceptions/with-wildcard/README.md | 13 ++++ .../with-wildcard/configmap-allowed.yaml | 4 + .../with-wildcard/configmap-rejected.yaml | 4 + .../exceptions/with-wildcard/exception.yaml | 17 +++++ .../with-wildcard/policy-assert.yaml | 9 +++ .../exceptions/with-wildcard/policy.yaml | 20 +++++ .../exclude/sa/no-wildcard/01-policy.yaml | 13 ++++ .../exclude/sa/no-wildcard/02-resource.yaml | 13 ++++ .../filter/exclude/sa/no-wildcard/README.md | 12 +++ .../exclude/sa/no-wildcard/policy-assert.yaml | 10 +++ .../filter/exclude/sa/no-wildcard/policy.yaml | 22 ++++++ .../exclude/sa/no-wildcard/resource.yaml | 10 +++ .../filter/exclude/sa/wildcard/01-policy.yaml | 13 ++++ .../exclude/sa/wildcard/02-resource.yaml | 13 ++++ .../filter/exclude/sa/wildcard/README.md | 12 +++ .../exclude/sa/wildcard/policy-assert.yaml | 10 +++ .../filter/exclude/sa/wildcard/policy.yaml | 22 ++++++ .../filter/exclude/sa/wildcard/resource.yaml | 10 +++ .../user/no-wildcard/block/01-policy.yaml | 13 ++++ .../user/no-wildcard/block/02-resource.yaml | 13 ++++ .../exclude/user/no-wildcard/block/README.md | 12 +++ .../user/no-wildcard/block/policy-assert.yaml | 10 +++ .../user/no-wildcard/block/policy.yaml | 21 ++++++ .../user/no-wildcard/block/resource.yaml | 10 +++ .../user/no-wildcard/pass/01-policy.yaml | 13 ++++ .../user/no-wildcard/pass/02-resource.yaml | 11 +++ .../exclude/user/no-wildcard/pass/README.md | 12 +++ .../user/no-wildcard/pass/policy-assert.yaml | 10 +++ .../exclude/user/no-wildcard/pass/policy.yaml | 21 ++++++ .../user/no-wildcard/pass/resource.yaml | 10 +++ .../user/wildcard/block/01-policy.yaml | 13 ++++ .../user/wildcard/block/02-resource.yaml | 13 ++++ .../exclude/user/wildcard/block/README.md | 12 +++ .../user/wildcard/block/policy-assert.yaml | 10 +++ .../exclude/user/wildcard/block/policy.yaml | 21 ++++++ .../exclude/user/wildcard/block/resource.yaml | 10 +++ .../exclude/user/wildcard/pass/01-policy.yaml | 13 ++++ .../user/wildcard/pass/02-resource.yaml | 11 +++ .../exclude/user/wildcard/pass/README.md | 12 +++ .../user/wildcard/pass/policy-assert.yaml | 10 +++ .../exclude/user/wildcard/pass/policy.yaml | 21 ++++++ .../exclude/user/wildcard/pass/resource.yaml | 10 +++ .../match/sa/no-wildcard/01-policy.yaml | 13 ++++ .../match/sa/no-wildcard/02-resource.yaml | 11 +++ .../filter/match/sa/no-wildcard/README.md | 12 +++ .../match/sa/no-wildcard/policy-assert.yaml | 10 +++ .../filter/match/sa/no-wildcard/policy.yaml | 20 +++++ .../filter/match/sa/no-wildcard/resource.yaml | 10 +++ .../filter/match/sa/wildcard/01-policy.yaml | 13 ++++ .../filter/match/sa/wildcard/02-resource.yaml | 11 +++ .../filter/match/sa/wildcard/README.md | 12 +++ .../match/sa/wildcard/policy-assert.yaml | 10 +++ .../filter/match/sa/wildcard/policy.yaml | 20 +++++ .../filter/match/sa/wildcard/resource.yaml | 10 +++ .../user/no-wildcard/block/01-policy.yaml | 13 ++++ .../user/no-wildcard/block/02-resource.yaml | 13 ++++ .../match/user/no-wildcard/block/README.md | 12 +++ .../user/no-wildcard/block/policy-assert.yaml | 10 +++ .../match/user/no-wildcard/block/policy.yaml | 19 +++++ .../user/no-wildcard/block/resource.yaml | 10 +++ .../user/no-wildcard/pass/01-policy.yaml | 13 ++++ .../user/no-wildcard/pass/02-resource.yaml | 11 +++ .../match/user/no-wildcard/pass/README.md | 12 +++ .../user/no-wildcard/pass/policy-assert.yaml | 10 +++ .../match/user/no-wildcard/pass/policy.yaml | 19 +++++ .../match/user/no-wildcard/pass/resource.yaml | 10 +++ .../match/user/wildcard/block/01-policy.yaml | 13 ++++ .../user/wildcard/block/02-resource.yaml | 13 ++++ .../match/user/wildcard/block/README.md | 12 +++ .../user/wildcard/block/policy-assert.yaml | 10 +++ .../match/user/wildcard/block/policy.yaml | 19 +++++ .../match/user/wildcard/block/resource.yaml | 10 +++ .../match/user/wildcard/pass/01-policy.yaml | 13 ++++ .../match/user/wildcard/pass/02-resource.yaml | 11 +++ .../filter/match/user/wildcard/pass/README.md | 12 +++ .../user/wildcard/pass/policy-assert.yaml | 10 +++ .../match/user/wildcard/pass/policy.yaml | 19 +++++ .../match/user/wildcard/pass/resource.yaml | 10 +++ 211 files changed, 2958 insertions(+), 4 deletions(-) create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/01-rbac.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/02-pod.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/03-policy.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/04-sleep.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/05-check.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/README.md create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/pod-assert.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/pod.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/policy.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/rbac.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/01-rbac.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/02-pod.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/03-policy.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/04-sleep.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/05-check.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/README.md create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/pod-assert.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/pod.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/policy.yaml create mode 100644 test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/rbac.yaml create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/01-rbac.yaml create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/02-pod.yaml create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/03-policy.yaml create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/04-sleep.yaml create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/05-check.yaml create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/README.md create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/pod-assert.yaml create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/pod.yaml create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/policy.yaml create mode 100644 test/conformance/chainsaw/cleanup/policy/cleanup-pod/rbac.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/cron-format/01-policy.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/cron-format/02-clusterpolicy.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/cron-format/03-invalidpolicy.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/cron-format/README.md create mode 100644 test/conformance/chainsaw/cleanup/validation/cron-format/clusterpolicy.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/cron-format/invalidpolicy.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/cron-format/policy.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/01-cleanuppolicy.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/README.md create mode 100644 test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-clusterroles.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-roles.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-subjects.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/01-cleanup-policy.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-configmap.yaml create mode 100644 test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-image-registry.yaml create mode 100644 test/conformance/chainsaw/deferred/dependencies/01-apply-manifests.yaml create mode 100644 test/conformance/chainsaw/deferred/dependencies/02-testcase.yaml create mode 100644 test/conformance/chainsaw/deferred/dependencies/README.md create mode 100644 test/conformance/chainsaw/deferred/dependencies/deploy.yaml create mode 100644 test/conformance/chainsaw/deferred/dependencies/manifests.yaml create mode 100644 test/conformance/chainsaw/deferred/dependencies/policy-assert.yaml create mode 100644 test/conformance/chainsaw/deferred/foreach/01-apply.yaml create mode 100644 test/conformance/chainsaw/deferred/foreach/02-testcase.yaml create mode 100644 test/conformance/chainsaw/deferred/foreach/README.md create mode 100644 test/conformance/chainsaw/deferred/foreach/cm-assert.yaml create mode 100644 test/conformance/chainsaw/deferred/foreach/cm.yaml create mode 100644 test/conformance/chainsaw/deferred/foreach/manifests.yaml create mode 100644 test/conformance/chainsaw/deferred/foreach/policy-assert.yaml create mode 100644 test/conformance/chainsaw/deferred/recursive/01-policy.yaml create mode 100644 test/conformance/chainsaw/deferred/recursive/02-resource.yaml create mode 100644 test/conformance/chainsaw/deferred/recursive/README.md create mode 100644 test/conformance/chainsaw/deferred/recursive/policy-assert.yaml create mode 100644 test/conformance/chainsaw/deferred/recursive/policy.yaml create mode 100644 test/conformance/chainsaw/deferred/recursive/resource-assert.yaml create mode 100644 test/conformance/chainsaw/deferred/recursive/resource.yaml create mode 100644 test/conformance/chainsaw/deferred/resolve-overriden-variable/01-policy.yaml create mode 100644 test/conformance/chainsaw/deferred/resolve-overriden-variable/02-resource.yaml create mode 100644 test/conformance/chainsaw/deferred/resolve-overriden-variable/README.md create mode 100644 test/conformance/chainsaw/deferred/resolve-overriden-variable/policy-assert.yaml create mode 100644 test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml create mode 100644 test/conformance/chainsaw/deferred/resolve-overriden-variable/resource-assert.yaml create mode 100644 test/conformance/chainsaw/deferred/resolve-overriden-variable/resource.yaml create mode 100644 test/conformance/chainsaw/deferred/two-rules/01-policy.yaml create mode 100644 test/conformance/chainsaw/deferred/two-rules/02-resource.yaml create mode 100644 test/conformance/chainsaw/deferred/two-rules/README.md create mode 100644 test/conformance/chainsaw/deferred/two-rules/policy-assert.yaml create mode 100644 test/conformance/chainsaw/deferred/two-rules/policy.yaml create mode 100644 test/conformance/chainsaw/deferred/two-rules/resource-assert.yaml create mode 100644 test/conformance/chainsaw/deferred/two-rules/resource.yaml create mode 100644 test/conformance/chainsaw/exceptions/allows-rejects-creation/01-policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/allows-rejects-creation/02-exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/allows-rejects-creation/03-configmap.yaml create mode 100644 test/conformance/chainsaw/exceptions/allows-rejects-creation/README.md create mode 100644 test/conformance/chainsaw/exceptions/allows-rejects-creation/configmap-allowed.yaml create mode 100644 test/conformance/chainsaw/exceptions/allows-rejects-creation/configmap-rejected.yaml create mode 100644 test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/allows-rejects-creation/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/01-policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/02-exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/03-namespace.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/04-deployment.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/05-delete.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/README.md create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/deployment.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/namespace.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/background-mode/standard/01-exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/background-mode/standard/README.md create mode 100644 test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml create mode 100644 test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml create mode 100644 test/conformance/chainsaw/exceptions/conditions/01-policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/conditions/02-exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/conditions/03-deployment.yaml create mode 100644 test/conformance/chainsaw/exceptions/conditions/04-sleep.yaml create mode 100644 test/conformance/chainsaw/exceptions/conditions/README.md create mode 100644 test/conformance/chainsaw/exceptions/conditions/bad-deployment.yaml create mode 100644 test/conformance/chainsaw/exceptions/conditions/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/conditions/good-deployment.yaml create mode 100644 test/conformance/chainsaw/exceptions/conditions/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/events-creation/01-policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/events-creation/02-exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/events-creation/03-manifests.yaml create mode 100644 test/conformance/chainsaw/exceptions/events-creation/04-sleep.yaml create mode 100644 test/conformance/chainsaw/exceptions/events-creation/05-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/events-creation/README.md create mode 100644 test/conformance/chainsaw/exceptions/events-creation/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/events-creation/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/only-for-specific-user/01-policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/only-for-specific-user/02-exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/only-for-specific-user/03-configmap.yaml create mode 100644 test/conformance/chainsaw/exceptions/only-for-specific-user/README.md create mode 100644 test/conformance/chainsaw/exceptions/only-for-specific-user/configmap.yaml create mode 100644 test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/only-for-specific-user/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/with-wildcard/01-policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/with-wildcard/02-exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/with-wildcard/03-configmap.yaml create mode 100644 test/conformance/chainsaw/exceptions/with-wildcard/README.md create mode 100644 test/conformance/chainsaw/exceptions/with-wildcard/configmap-allowed.yaml create mode 100644 test/conformance/chainsaw/exceptions/with-wildcard/configmap-rejected.yaml create mode 100644 test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/with-wildcard/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/no-wildcard/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/no-wildcard/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/no-wildcard/README.md create mode 100644 test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/no-wildcard/resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/wildcard/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/wildcard/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/wildcard/README.md create mode 100644 test/conformance/chainsaw/filter/exclude/sa/wildcard/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/sa/wildcard/resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/README.md create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/README.md create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/block/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/block/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/block/README.md create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/block/resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/pass/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/pass/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/pass/README.md create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml create mode 100644 test/conformance/chainsaw/filter/exclude/user/wildcard/pass/resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/no-wildcard/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/no-wildcard/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/no-wildcard/README.md create mode 100644 test/conformance/chainsaw/filter/match/sa/no-wildcard/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/no-wildcard/resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/wildcard/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/wildcard/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/wildcard/README.md create mode 100644 test/conformance/chainsaw/filter/match/sa/wildcard/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/sa/wildcard/resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/block/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/block/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/block/README.md create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/block/resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/pass/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/pass/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/pass/README.md create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/no-wildcard/pass/resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/block/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/block/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/block/README.md create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/block/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/block/resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/pass/01-policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/pass/02-resource.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/pass/README.md create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/pass/policy-assert.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml create mode 100644 test/conformance/chainsaw/filter/match/user/wildcard/pass/resource.yaml diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 770855fd91..9f6b7b5f56 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -179,11 +179,11 @@ jobs: tests: - autogen - background-only - # - cleanup - # - deferred + - cleanup + - deferred - events - # - exceptions - # - filter + - exceptions + - filter # - generate/clusterpolicy # - generate/policy # - generate/validation diff --git a/test/conformance/chainsaw/_config/common.yaml b/test/conformance/chainsaw/_config/common.yaml index 25ebcb202b..481b1ad668 100755 --- a/test/conformance/chainsaw/_config/common.yaml +++ b/test/conformance/chainsaw/_config/common.yaml @@ -6,6 +6,7 @@ spec: timeouts: assert: 90s error: 90s + exec: 90s parallel: 1 fullName: true failFast: true diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/01-rbac.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/01-rbac.yaml new file mode 100644 index 0000000000..3408705f9b --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/01-rbac.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: rbac +spec: + timeouts: {} + try: + - apply: + check: null + file: rbac.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/02-pod.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/02-pod.yaml new file mode 100644 index 0000000000..a8585605c2 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/02-pod.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + check: null + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/03-policy.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/03-policy.yaml new file mode 100644 index 0000000000..86b0ffe524 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/03-policy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: null + file: policy.yaml + - assert: + file: policy.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/04-sleep.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/04-sleep.yaml new file mode 100644 index 0000000000..cad5fa9ed5 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/04-sleep.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "65" + check: null + entrypoint: sleep diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/05-check.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/05-check.yaml new file mode 100644 index 0000000000..7571906109 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/05-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/README.md b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/README.md new file mode 100644 index 0000000000..017a677c05 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/README.md @@ -0,0 +1,9 @@ +# ## Description + +This test cleans up pods via a cluster cleanup policy. + +## Expected Behavior + +The pod `default/example` is cleaned up successfully. + +## Reference Issue(s) diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/pod-assert.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/pod-assert.yaml new file mode 100644 index 0000000000..99bac5fb09 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: example + namespace: default diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/pod.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/pod.yaml new file mode 100644 index 0000000000..91b8d5074d --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: example + namespace: default +spec: + containers: + - image: nginx:latest + name: example diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/policy.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/policy.yaml new file mode 100644 index 0000000000..98be0d7579 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: cleanup-pod +spec: + match: + any: + - resources: + kinds: + - Pod + conditions: + all: + - key: "{{ target.metadata.name }}" + operator: Equals + value: example + - key: "{{ target.metadata.namespace }}" + operator: Equals + value: default + ## execute every minute + schedule: "*/1 * * * *" \ No newline at end of file diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/rbac.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/rbac.yaml new file mode 100644 index 0000000000..a9af733222 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/rbac.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test-cleanup-pod +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-cleanup-pod +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test-cleanup-pod +subjects: +- kind: ServiceAccount + name: kyverno-cleanup-controller + namespace: kyverno diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/01-rbac.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/01-rbac.yaml new file mode 100644 index 0000000000..3408705f9b --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/01-rbac.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: rbac +spec: + timeouts: {} + try: + - apply: + check: null + file: rbac.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/02-pod.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/02-pod.yaml new file mode 100644 index 0000000000..a8585605c2 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/02-pod.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + check: null + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/03-policy.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/03-policy.yaml new file mode 100644 index 0000000000..86b0ffe524 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/03-policy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: null + file: policy.yaml + - assert: + file: policy.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/04-sleep.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/04-sleep.yaml new file mode 100644 index 0000000000..ee6e2dfceb --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/04-sleep.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "5" + check: null + entrypoint: sleep diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/05-check.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/05-check.yaml new file mode 100644 index 0000000000..7571906109 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/05-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/README.md b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/README.md new file mode 100644 index 0000000000..d65b6906b9 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/README.md @@ -0,0 +1,9 @@ +# ## Description + +This test cleans up pods via a cluster cleanup policy. + +## Expected Behavior + +The pod `{{ varname }}` in the namespace `{{ varNamespace }}` set by context variable is cleaned up successfully. + +## Reference Issue(s) diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/pod-assert.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/pod-assert.yaml new file mode 100644 index 0000000000..99bac5fb09 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: example + namespace: default diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/pod.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/pod.yaml new file mode 100644 index 0000000000..91b8d5074d --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: example + namespace: default +spec: + containers: + - image: nginx:latest + name: example diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/policy.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/policy.yaml new file mode 100644 index 0000000000..b6edc31a1c --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: cleanup-pod +spec: + context: + - name: varNamespace + apiCall: + urlPath: "/api/v1/namespaces/default" + jmesPath: metadata.name + - name: varname + variable: + value: "example" + match: + any: + - resources: + kinds: + - Pod + conditions: + all: + - key: "{{ target.metadata.name }}" + operator: Equals + value: "{{ varname }}" + - key: "{{ target.metadata.namespace }}" + operator: Equals + value: "{{ varNamespace }}" + ## execute every minute + schedule: "*/1 * * * *" diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/rbac.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/rbac.yaml new file mode 100644 index 0000000000..a9af733222 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/rbac.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test-cleanup-pod +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-cleanup-pod +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test-cleanup-pod +subjects: +- kind: ServiceAccount + name: kyverno-cleanup-controller + namespace: kyverno diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/01-rbac.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/01-rbac.yaml new file mode 100644 index 0000000000..3408705f9b --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/01-rbac.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: rbac +spec: + timeouts: {} + try: + - apply: + check: null + file: rbac.yaml diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/02-pod.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/02-pod.yaml new file mode 100644 index 0000000000..a8585605c2 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/02-pod.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + check: null + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/03-policy.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/03-policy.yaml new file mode 100644 index 0000000000..86b0ffe524 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/03-policy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: null + file: policy.yaml + - assert: + file: policy.yaml diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/04-sleep.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/04-sleep.yaml new file mode 100644 index 0000000000..cad5fa9ed5 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/04-sleep.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "65" + check: null + entrypoint: sleep diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/05-check.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/05-check.yaml new file mode 100644 index 0000000000..7571906109 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/05-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/README.md b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/README.md new file mode 100644 index 0000000000..571352f548 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/README.md @@ -0,0 +1,10 @@ +# ## Description + +This test cleans up pods via a namespaced cleanup policy. + +## Expected Behavior + +The pod `default/example` is cleaned up successfully. + + +## Reference Issue(s) diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/pod-assert.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/pod-assert.yaml new file mode 100644 index 0000000000..99bac5fb09 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: example + namespace: default diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/pod.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/pod.yaml new file mode 100644 index 0000000000..91b8d5074d --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: example + namespace: default +spec: + containers: + - image: nginx:latest + name: example diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/policy.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/policy.yaml new file mode 100644 index 0000000000..0c9d48531f --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v2beta1 +kind: CleanupPolicy +metadata: + name: cleanup-pod + namespace: default +spec: + match: + any: + - resources: + kinds: + - Pod + conditions: + any: + - key: "{{ target.metadata.name }}" + operator: Equals + value: example + ## execute every minute + schedule: "*/1 * * * *" \ No newline at end of file diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/rbac.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/rbac.yaml new file mode 100644 index 0000000000..a9af733222 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/rbac.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test-cleanup-pod +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-cleanup-pod +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test-cleanup-pod +subjects: +- kind: ServiceAccount + name: kyverno-cleanup-controller + namespace: kyverno diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/01-policy.yaml b/test/conformance/chainsaw/cleanup/validation/cron-format/01-policy.yaml new file mode 100644 index 0000000000..86b0ffe524 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/01-policy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: null + file: policy.yaml + - assert: + file: policy.yaml diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/02-clusterpolicy.yaml b/test/conformance/chainsaw/cleanup/validation/cron-format/02-clusterpolicy.yaml new file mode 100644 index 0000000000..b64136bfed --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/02-clusterpolicy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: clusterpolicy +spec: + timeouts: {} + try: + - apply: + check: null + file: clusterpolicy.yaml + - assert: + file: clusterpolicy.yaml diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/03-invalidpolicy.yaml b/test/conformance/chainsaw/cleanup/validation/cron-format/03-invalidpolicy.yaml new file mode 100644 index 0000000000..eea2711d03 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/03-invalidpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: invalidpolicy +spec: + try: + - apply: + file: invalidpolicy.yaml + check: + (error == null): false diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/README.md b/test/conformance/chainsaw/cleanup/validation/cron-format/README.md new file mode 100644 index 0000000000..c17eaf07d6 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates tries to create two cleanup policies, one with a valid schedule and one with an invalid schedule. +The creation of the one with the valid schedule is expected to succeed while the one with the invalid schedule is expected to fail. diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/clusterpolicy.yaml b/test/conformance/chainsaw/cleanup/validation/cron-format/clusterpolicy.yaml new file mode 100644 index 0000000000..b85830c700 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/clusterpolicy.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: cleanuppolicy +spec: + match: + any: + - resources: + kinds: + - Pod + conditions: + any: + - key: "{{ target.metadata.name }}" + operator: Equals + value: example + schedule: "*/2 * * * *" \ No newline at end of file diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/invalidpolicy.yaml b/test/conformance/chainsaw/cleanup/validation/cron-format/invalidpolicy.yaml new file mode 100644 index 0000000000..3686cb576a --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/invalidpolicy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v2beta1 +kind: CleanupPolicy +metadata: + name: cleanuppolicy + namespace: default +spec: + match: + any: + - resources: + kinds: + - Pod + conditions: + any: + - key: "{{ target.metadata.name }}" + operator: Equals + value: example + schedule: "invalid-schedule" \ No newline at end of file diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/policy.yaml b/test/conformance/chainsaw/cleanup/validation/cron-format/policy.yaml new file mode 100644 index 0000000000..f9c8be757c --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v2beta1 +kind: CleanupPolicy +metadata: + name: cleanuppolicy + namespace: default +spec: + match: + any: + - resources: + kinds: + - Pod + conditions: + any: + - key: "{{ target.metadata.name }}" + operator: Equals + value: example + schedule: "*/2 * * * *" \ No newline at end of file diff --git a/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/01-cleanuppolicy.yaml b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/01-cleanuppolicy.yaml new file mode 100644 index 0000000000..b41dc3143a --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/01-cleanuppolicy.yaml @@ -0,0 +1,18 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: cleanuppolicy +spec: + try: + - apply: + file: cleanuppolicy-with-subjects.yaml + check: + (error == null): false + - apply: + file: cleanuppolicy-with-roles.yaml + check: + (error == null): false + - apply: + file: cleanuppolicy-with-clusterroles.yaml + check: + (error == null): false diff --git a/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/README.md b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/README.md new file mode 100644 index 0000000000..69843ccd6d --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a cleanup policy containing user infos in `match` statement. +The creation should fail as cleanup policies with user infos are not allowed. + +## Steps + +1. - Try create a couple of cleanup policies, expecting the creation to fail because they contain user infos diff --git a/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-clusterroles.yaml b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-clusterroles.yaml new file mode 100644 index 0000000000..213773f503 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-clusterroles.yaml @@ -0,0 +1,13 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: cleanuppolicy +spec: + match: + any: + - resources: + kinds: + - Pod + clusterRoles: + - clusteradmin + schedule: '* * * * *' diff --git a/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-roles.yaml b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-roles.yaml new file mode 100644 index 0000000000..cd374e9a35 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-roles.yaml @@ -0,0 +1,13 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: cleanuppolicy +spec: + match: + any: + - resources: + kinds: + - Pod + roles: + - admin + schedule: '* * * * *' diff --git a/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-subjects.yaml b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-subjects.yaml new file mode 100644 index 0000000000..3ad66acd2a --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/cleanuppolicy-with-subjects.yaml @@ -0,0 +1,14 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: cleanuppolicy +spec: + match: + any: + - resources: + kinds: + - Pod + subjects: + - kind: User + name: chip + schedule: '* * * * *' diff --git a/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/01-cleanup-policy.yaml b/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/01-cleanup-policy.yaml new file mode 100644 index 0000000000..45cfa2cda7 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/01-cleanup-policy.yaml @@ -0,0 +1,14 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: cleanup-policy +spec: + try: + - apply: + file: cleanuppolicy-with-image-registry.yaml + check: + (error == null): false + - apply: + file: cleanuppolicy-with-configmap.yaml + check: + (error == null): false diff --git a/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-configmap.yaml b/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-configmap.yaml new file mode 100644 index 0000000000..530966ec32 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-configmap.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: cleanup-pod +spec: + context: + - name: configData + configMap: + name: some-config-map + namespace: default + match: + any: + - resources: + kinds: + - Pod + conditions: + all: + - key: "{{ target.metadata.name }}" + operator: Equals + value: example + - key: "{{ target.metadata.namespace }}" + operator: Equals + value: default + ## execute every minute + schedule: "*/1 * * * *" diff --git a/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-image-registry.yaml b/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-image-registry.yaml new file mode 100644 index 0000000000..2fb8fb63f6 --- /dev/null +++ b/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-image-registry.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: cleanup-pod +spec: + context: + - name: imageData + imageRegistry: + reference: "ghcr.io/kyverno/kyverno" + match: + any: + - resources: + kinds: + - Pod + conditions: + all: + - key: "{{ target.metadata.name }}" + operator: Equals + value: "example" + - key: "{{ target.metadata.namespace }}" + operator: Equals + value: default + ## execute every minute + schedule: "*/1 * * * *" diff --git a/test/conformance/chainsaw/deferred/dependencies/01-apply-manifests.yaml b/test/conformance/chainsaw/deferred/dependencies/01-apply-manifests.yaml new file mode 100644 index 0000000000..89b3740fee --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies/01-apply-manifests.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: apply-manifests +spec: + timeouts: {} + try: + - apply: + check: null + file: manifests.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/dependencies/02-testcase.yaml b/test/conformance/chainsaw/deferred/dependencies/02-testcase.yaml new file mode 100644 index 0000000000..de278cee68 --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies/02-testcase.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: testcase +spec: + try: + - apply: + file: deploy.yaml + check: + (error == null): false diff --git a/test/conformance/chainsaw/deferred/dependencies/README.md b/test/conformance/chainsaw/deferred/dependencies/README.md new file mode 100644 index 0000000000..a19b14626b --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks for handling of variable dependencies with deferred lookups + +## Expected Behavior + +The deployment should fail + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/7486 + diff --git a/test/conformance/chainsaw/deferred/dependencies/deploy.yaml b/test/conformance/chainsaw/deferred/dependencies/deploy.yaml new file mode 100644 index 0000000000..c03b8fa60f --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies/deploy.yaml @@ -0,0 +1,28 @@ + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: acme-fitness + labels: + app: kubecost-cost-analyzer +spec: + replicas: 3 + selector: + matchLabels: + app: kubecost-cost-analyzer + template: + metadata: + labels: + app: kubecost-cost-analyzer + spec: + containers: + - name: cost-model + image: nginx:1.14.2 + resources: + requests: + cpu: 350m + memory: 500Mi + limits: + memory: 2Gi diff --git a/test/conformance/chainsaw/deferred/dependencies/manifests.yaml b/test/conformance/chainsaw/deferred/dependencies/manifests.yaml new file mode 100644 index 0000000000..ffdbf0a9af --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies/manifests.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: acme-fitness +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-company-budget +spec: + validationFailureAction: Enforce + rules: + - name: check-kubecost-budget + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + context: + # Mocked response from the Kubecost prediction API until it natively supports JSON input. + # Get the predicted amount of the Deployment and transform to get the totalMonthlyRate. + - name: predictedcost + variable: + jmesPath: '[0].costChange.totalMonthlyRate' + value: + - namespace: acme-fitness + controllerKind: deployment + controllerName: test + costBefore: + totalMonthlyRate: 0 + cpuMonthlyRate: 0 + ramMonthlyRate: 0 + gpuMonthlyRate: 0 + monthlyCPUCoreHours: 0 + monthlyRAMByteHours: 0 + monthlyGPUHours: 0 + costAfter: + totalMonthlyRate: 28.839483652409793 + cpuMonthlyRate: 24.295976357646456 + ramMonthlyRate: 4.543507294763337 + gpuMonthlyRate: 0 + monthlyCPUCoreHours: 766.5 + monthlyRAMByteHours: 1.14819072e+12 + monthlyGPUHours: 0 + costChange: + totalMonthlyRate: 92.839483652409793 + cpuMonthlyRate: 24.295976357646456 + ramMonthlyRate: 4.543507294763337 + gpuMonthlyRate: 0 + monthlyCPUCoreHours: 766.5 + monthlyRAMByteHours: 1.14819072e+12 + monthlyGPUHours: 0 + - name: budget + variable: + value: + spendLimit: 100.0 + currentSpend: 73.0 + # Calculate the budget that remains from the window by subtracting the currentSpend from the spendLimit. + - name: remainingbudget + variable: + jmesPath: subtract(`{{budget.spendLimit}}`,`{{budget.currentSpend}}`) + validate: + # Need to improve this by rounding. + message: "This Deployment, which costs ${{ predictedcost }} to run for a month, will overrun the remaining budget of ${{ remainingbudget }}. Please seek approval." + deny: + conditions: + all: + - key: "{{ predictedcost }}" + operator: GreaterThan + value: "{{ remainingbudget }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/deferred/dependencies/policy-assert.yaml b/test/conformance/chainsaw/deferred/dependencies/policy-assert.yaml new file mode 100644 index 0000000000..8ce29958ed --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-company-budget +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/deferred/foreach/01-apply.yaml b/test/conformance/chainsaw/deferred/foreach/01-apply.yaml new file mode 100644 index 0000000000..1f8d13010a --- /dev/null +++ b/test/conformance/chainsaw/deferred/foreach/01-apply.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: apply +spec: + timeouts: {} + try: + - apply: + check: null + file: manifests.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/foreach/02-testcase.yaml b/test/conformance/chainsaw/deferred/foreach/02-testcase.yaml new file mode 100644 index 0000000000..75ed639d90 --- /dev/null +++ b/test/conformance/chainsaw/deferred/foreach/02-testcase.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: testcase +spec: + timeouts: {} + try: + - apply: + check: null + file: cm.yaml + - assert: + file: cm-assert.yaml diff --git a/test/conformance/chainsaw/deferred/foreach/README.md b/test/conformance/chainsaw/deferred/foreach/README.md new file mode 100644 index 0000000000..508653b40b --- /dev/null +++ b/test/conformance/chainsaw/deferred/foreach/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks for deferred variable substitutions in foreach loops + +## Expected Behavior + +The CM should be created with three new entries + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/7532 diff --git a/test/conformance/chainsaw/deferred/foreach/cm-assert.yaml b/test/conformance/chainsaw/deferred/foreach/cm-assert.yaml new file mode 100644 index 0000000000..765e7b79a0 --- /dev/null +++ b/test/conformance/chainsaw/deferred/foreach/cm-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: testcase-7fki3-resource +data: + from_loop_1: AAA + from_loop_2: AAA + from_loop_3: AAA diff --git a/test/conformance/chainsaw/deferred/foreach/cm.yaml b/test/conformance/chainsaw/deferred/foreach/cm.yaml new file mode 100644 index 0000000000..dc353e80a0 --- /dev/null +++ b/test/conformance/chainsaw/deferred/foreach/cm.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: testcase-7fki3-resource diff --git a/test/conformance/chainsaw/deferred/foreach/manifests.yaml b/test/conformance/chainsaw/deferred/foreach/manifests.yaml new file mode 100644 index 0000000000..f298d56d7c --- /dev/null +++ b/test/conformance/chainsaw/deferred/foreach/manifests.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: testcase-7fki3 +spec: + admission: true + background: false + rules: + - context: + - name: var1 + variable: + value: AAA + match: + all: + - resources: + kinds: + - v1/ConfigMap + names: + - testcase-7fki3-resource + mutate: + foreach: + - list: '[''dummy'']' + patchStrategicMerge: + data: + from_loop_1: '{{ var1 || ''!!!variable not resolved!!!'' }}' + - list: '[''dummy'']' + patchStrategicMerge: + data: + from_loop_2: '{{ var1 || ''!!!variable not resolved!!!'' }}' + - list: '[''dummy'']' + patchStrategicMerge: + data: + from_loop_3: '{{ var1 || ''!!!variable not resolved!!!'' }}' + name: mutate1 + preconditions: + all: + - key: '{{ request.operation }}' + operator: AllIn + value: + - CREATE + - UPDATE + schemaValidation: false + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/deferred/foreach/policy-assert.yaml b/test/conformance/chainsaw/deferred/foreach/policy-assert.yaml new file mode 100644 index 0000000000..d83273fb9e --- /dev/null +++ b/test/conformance/chainsaw/deferred/foreach/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: testcase-7fki3 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/deferred/recursive/01-policy.yaml b/test/conformance/chainsaw/deferred/recursive/01-policy.yaml new file mode 100644 index 0000000000..a7f04b9003 --- /dev/null +++ b/test/conformance/chainsaw/deferred/recursive/01-policy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: null + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/recursive/02-resource.yaml b/test/conformance/chainsaw/deferred/recursive/02-resource.yaml new file mode 100644 index 0000000000..0991baccf9 --- /dev/null +++ b/test/conformance/chainsaw/deferred/recursive/02-resource.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: null + file: resource.yaml + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/deferred/recursive/README.md b/test/conformance/chainsaw/deferred/recursive/README.md new file mode 100644 index 0000000000..461794aa76 --- /dev/null +++ b/test/conformance/chainsaw/deferred/recursive/README.md @@ -0,0 +1,7 @@ +## Description + +This test checks for handling of variable dependencies with the same name with deferred lookups in a foreach + +## Expected Behavior + +The configmap should create fine and contain `one: one` in the data. diff --git a/test/conformance/chainsaw/deferred/recursive/policy-assert.yaml b/test/conformance/chainsaw/deferred/recursive/policy-assert.yaml new file mode 100644 index 0000000000..6277d9899f --- /dev/null +++ b/test/conformance/chainsaw/deferred/recursive/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: one +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/deferred/recursive/policy.yaml b/test/conformance/chainsaw/deferred/recursive/policy.yaml new file mode 100644 index 0000000000..4965a30bc4 --- /dev/null +++ b/test/conformance/chainsaw/deferred/recursive/policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: one +spec: + validationFailureAction: Enforce + rules: + - name: one + match: + all: + - resources: + kinds: + - v1/ConfigMap + context: + - name: one + variable: + value: one + - name: one + variable: + jmesPath: one + mutate: + foreach: + - list: "['dummy']" + patchStrategicMerge: + data: + one: "{{ one }}" diff --git a/test/conformance/chainsaw/deferred/recursive/resource-assert.yaml b/test/conformance/chainsaw/deferred/recursive/resource-assert.yaml new file mode 100644 index 0000000000..fbe5a01ff6 --- /dev/null +++ b/test/conformance/chainsaw/deferred/recursive/resource-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: one +data: + one: one diff --git a/test/conformance/chainsaw/deferred/recursive/resource.yaml b/test/conformance/chainsaw/deferred/recursive/resource.yaml new file mode 100644 index 0000000000..1d967e6ede --- /dev/null +++ b/test/conformance/chainsaw/deferred/recursive/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: one diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/01-policy.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/01-policy.yaml new file mode 100644 index 0000000000..a7f04b9003 --- /dev/null +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/01-policy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: null + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/02-resource.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/02-resource.yaml new file mode 100644 index 0000000000..0991baccf9 --- /dev/null +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/02-resource.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: null + file: resource.yaml + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/README.md b/test/conformance/chainsaw/deferred/resolve-overriden-variable/README.md new file mode 100644 index 0000000000..a03b65ca6f --- /dev/null +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/README.md @@ -0,0 +1,9 @@ +## Description + +This test checks for handling of variable dependencies with the same name: +- the same name is used twice in the rule context +- the same name is also used in a foreach context + +## Expected Behavior + +The configmap should create fine and contain `one: one` in the data. diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy-assert.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy-assert.yaml new file mode 100644 index 0000000000..6277d9899f --- /dev/null +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: one +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml new file mode 100644 index 0000000000..7737635f08 --- /dev/null +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: one +spec: + validationFailureAction: Enforce + rules: + - name: one + match: + all: + - resources: + kinds: + - v1/ConfigMap + context: + - name: foo + variable: + value: foo + - name: one + variable: + jmesPath: foo + - name: foo + variable: + value: baz + mutate: + foreach: + - list: "['dummy']" + context: + - name: foo + variable: + value: bar + patchStrategicMerge: + data: + one: "{{ one }}" diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/resource-assert.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/resource-assert.yaml new file mode 100644 index 0000000000..da586862c4 --- /dev/null +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/resource-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: one +data: + one: foo diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/resource.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/resource.yaml new file mode 100644 index 0000000000..1d967e6ede --- /dev/null +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: one diff --git a/test/conformance/chainsaw/deferred/two-rules/01-policy.yaml b/test/conformance/chainsaw/deferred/two-rules/01-policy.yaml new file mode 100644 index 0000000000..a7f04b9003 --- /dev/null +++ b/test/conformance/chainsaw/deferred/two-rules/01-policy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: null + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/two-rules/02-resource.yaml b/test/conformance/chainsaw/deferred/two-rules/02-resource.yaml new file mode 100644 index 0000000000..0991baccf9 --- /dev/null +++ b/test/conformance/chainsaw/deferred/two-rules/02-resource.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: null + file: resource.yaml + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/deferred/two-rules/README.md b/test/conformance/chainsaw/deferred/two-rules/README.md new file mode 100644 index 0000000000..7e5e28d1a9 --- /dev/null +++ b/test/conformance/chainsaw/deferred/two-rules/README.md @@ -0,0 +1,13 @@ +## Description + +This test checks that variables don't leak from one rule to the next. +The second rule tries to use a variable from the first rule, it should not find it. + +## Expected Behavior + +The configmap creates fine with the data: +```yaml +data: + one: test + two: "null" +``` diff --git a/test/conformance/chainsaw/deferred/two-rules/policy-assert.yaml b/test/conformance/chainsaw/deferred/two-rules/policy-assert.yaml new file mode 100644 index 0000000000..6277d9899f --- /dev/null +++ b/test/conformance/chainsaw/deferred/two-rules/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: one +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/deferred/two-rules/policy.yaml b/test/conformance/chainsaw/deferred/two-rules/policy.yaml new file mode 100644 index 0000000000..592fbdc5d7 --- /dev/null +++ b/test/conformance/chainsaw/deferred/two-rules/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: one +spec: + validationFailureAction: Enforce + rules: + - name: one + match: + all: + - resources: + kinds: + - v1/ConfigMap + context: + - name: var + variable: + value: test + mutate: + foreach: + - list: "['dummy']" + patchStrategicMerge: + data: + one: "{{ to_string(var) }}" + - name: two + match: + all: + - resources: + kinds: + - v1/ConfigMap + mutate: + foreach: + - list: "['dummy']" + patchStrategicMerge: + data: + two: "{{ to_string(var) }}" diff --git a/test/conformance/chainsaw/deferred/two-rules/resource-assert.yaml b/test/conformance/chainsaw/deferred/two-rules/resource-assert.yaml new file mode 100644 index 0000000000..aa4184d5ea --- /dev/null +++ b/test/conformance/chainsaw/deferred/two-rules/resource-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: one +data: + one: test + two: "null" diff --git a/test/conformance/chainsaw/deferred/two-rules/resource.yaml b/test/conformance/chainsaw/deferred/two-rules/resource.yaml new file mode 100644 index 0000000000..1d967e6ede --- /dev/null +++ b/test/conformance/chainsaw/deferred/two-rules/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: one diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/01-policy.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/02-exception.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/02-exception.yaml new file mode 100644 index 0000000000..b5b31d4d2a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/02-exception.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: exception +spec: + timeouts: {} + try: + - apply: + file: exception.yaml diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/03-configmap.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/03-configmap.yaml new file mode 100644 index 0000000000..89f0b17167 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/03-configmap.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: configmap +spec: + timeouts: {} + try: + - apply: + file: configmap-allowed.yaml + - apply: + check: + (error != null): true + file: configmap-rejected.yaml + - assert: + file: configmap-allowed.yaml + - error: + file: configmap-rejected.yaml diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/README.md b/test/conformance/chainsaw/exceptions/allows-rejects-creation/README.md new file mode 100644 index 0000000000..2aaf078360 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/README.md @@ -0,0 +1,13 @@ +## Description + +This test creates a policy, a policy exception and tries to create a couple configmaps. +The policy exception is configured to apply only to the `emergency` configmap. +The `emergency` configmap is expected to create fine while other configmaps creations should fail. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency` +1. - Try to create a confimap named `emergency`, expecting the creation to succeed + - Try to create a confimap named `foo`, expecting the creation to fail diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/configmap-allowed.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/configmap-allowed.yaml new file mode 100644 index 0000000000..c9323595fb --- /dev/null +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/configmap-allowed.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: emergency diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/configmap-rejected.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/configmap-rejected.yaml new file mode 100644 index 0000000000..2a4a424bcb --- /dev/null +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/configmap-rejected.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: foo diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml new file mode 100644 index 0000000000..3c5fd95b9b --- /dev/null +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: mynewpolex +spec: + exceptions: + - policyName: require-labels + ruleNames: + - require-team + match: + any: + - resources: + kinds: + - ConfigMap + names: + - emergency diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy-assert.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy-assert.yaml new file mode 100644 index 0000000000..b0bd73c54e --- /dev/null +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml new file mode 100644 index 0000000000..7e9c5d923d --- /dev/null +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/01-policy.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/02-exception.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/02-exception.yaml new file mode 100644 index 0000000000..b5b31d4d2a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/02-exception.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: exception +spec: + timeouts: {} + try: + - apply: + file: exception.yaml diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/03-namespace.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/03-namespace.yaml new file mode 100644 index 0000000000..7f65c69636 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/03-namespace.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: namespace +spec: + timeouts: {} + try: + - apply: + file: namespace.yaml diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/04-deployment.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/04-deployment.yaml new file mode 100644 index 0000000000..1d2a82aee4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/04-deployment.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: deployment +spec: + timeouts: {} + try: + - apply: + file: deployment.yaml diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/05-delete.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/05-delete.yaml new file mode 100644 index 0000000000..9a4767fab5 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/05-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: apps/v1 + kind: Deployment + name: test-dpl1 + namespace: reza-dev diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/README.md b/test/conformance/chainsaw/exceptions/applies-to-delete/README.md new file mode 100644 index 0000000000..07457b850d --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/README.md @@ -0,0 +1,13 @@ +## Description + +This test creates a policy, a policy exception and tries to create a deployment violating the policy. +The deployment is then deleted. + + +## Expected Behavior + +Both creation and deletion should be accepted, the exception applies to all operations. + +## Reference Issue(s) + +7423 diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/deployment.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/deployment.yaml new file mode 100644 index 0000000000..a647bba920 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/deployment.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-dpl1 + namespace: reza-dev +spec: + selector: + matchLabels: + app: test-dpl1 + template: + metadata: + labels: + app: test-dpl1 + spec: + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: test-dpl1 + image: busybox:1.35.0 + command: + - sleep + - "infinity" \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml new file mode 100644 index 0000000000..a9e5e9afb7 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: delta-exception + namespace: kyverno +spec: + exceptions: + - policyName: psa + ruleNames: + - "*" + match: + any: + - resources: + kinds: + - Deployment + namespaces: + - reza-dev + names: + - test-dpl1* diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/namespace.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/namespace.yaml new file mode 100644 index 0000000000..98b0102d78 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: reza-dev diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/policy-assert.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml new file mode 100644 index 0000000000..c69706f2db --- /dev/null +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + validationFailureAction: Enforce + background: true + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: v1.25 diff --git a/test/conformance/chainsaw/exceptions/background-mode/standard/01-exception.yaml b/test/conformance/chainsaw/exceptions/background-mode/standard/01-exception.yaml new file mode 100644 index 0000000000..490d53eea8 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/background-mode/standard/01-exception.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: exception +spec: + timeouts: {} + try: + - apply: + file: exception-allowed.yaml + - apply: + check: + (error != null): true + file: exception-rejected.yaml + - assert: + file: exception-allowed.yaml + - error: + file: exception-rejected.yaml diff --git a/test/conformance/chainsaw/exceptions/background-mode/standard/README.md b/test/conformance/chainsaw/exceptions/background-mode/standard/README.md new file mode 100644 index 0000000000..ba3368b539 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/background-mode/standard/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates policy exceptions with the `spec.background` field. It tests the usage of using components not available in background scans in exceptions. + +## Expected Behavior + +The polex-right is expected to be created but the polex-wrong should fail due to having a component that isn't available in background scan. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5949 \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml new file mode 100644 index 0000000000..8e550cc2de --- /dev/null +++ b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: polex-right +spec: + background: false + exceptions: + - policyName: test + ruleNames: + - test + match: + any: + - resources: + kinds: + - Pods + subjects: + - kind: User + name: chip \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml new file mode 100644 index 0000000000..94845c6e40 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: polex-wrong +spec: + background: true + exceptions: + - policyName: test + ruleNames: + - test + match: + any: + - resources: + kinds: + - Pods + subjects: + - kind: User + name: chip \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/conditions/01-policy.yaml b/test/conformance/chainsaw/exceptions/conditions/01-policy.yaml new file mode 100644 index 0000000000..cdc294f3da --- /dev/null +++ b/test/conformance/chainsaw/exceptions/conditions/01-policy.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml diff --git a/test/conformance/chainsaw/exceptions/conditions/02-exception.yaml b/test/conformance/chainsaw/exceptions/conditions/02-exception.yaml new file mode 100644 index 0000000000..b5b31d4d2a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/conditions/02-exception.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: exception +spec: + timeouts: {} + try: + - apply: + file: exception.yaml diff --git a/test/conformance/chainsaw/exceptions/conditions/03-deployment.yaml b/test/conformance/chainsaw/exceptions/conditions/03-deployment.yaml new file mode 100644 index 0000000000..10116fd4ce --- /dev/null +++ b/test/conformance/chainsaw/exceptions/conditions/03-deployment.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: deployment +spec: + timeouts: {} + try: + - apply: + file: good-deployment.yaml + - apply: + check: + (error != null): true + file: bad-deployment.yaml diff --git a/test/conformance/chainsaw/exceptions/conditions/04-sleep.yaml b/test/conformance/chainsaw/exceptions/conditions/04-sleep.yaml new file mode 100644 index 0000000000..f30782fbbe --- /dev/null +++ b/test/conformance/chainsaw/exceptions/conditions/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "4" + entrypoint: sleep diff --git a/test/conformance/chainsaw/exceptions/conditions/README.md b/test/conformance/chainsaw/exceptions/conditions/README.md new file mode 100644 index 0000000000..f43057c681 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/conditions/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy that only allows a maximum of 3 containers inside a pod. It then creates an exception with `conditions` field defined which tests out the functionality for the conditions support in `PolicyException`. + + +## Expected Behavior + +If the exception is not applied, both the deployments `bad-deployment` and `good-deployment` should not be allowed but when the exception has been applied, `good-deployment` should be able to pass through the Policy as it satisfies the conditions mentioned in the `PolicyException`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6223 diff --git a/test/conformance/chainsaw/exceptions/conditions/bad-deployment.yaml b/test/conformance/chainsaw/exceptions/conditions/bad-deployment.yaml new file mode 100644 index 0000000000..522a332551 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/conditions/bad-deployment.yaml @@ -0,0 +1,49 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: my-app +spec: + replicas: 3 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + spec: + containers: + - name: nginx-container + image: nginx:latest + ports: + - containerPort: 80 + resources: + limits: + cpu: "1" + memory: "256Mi" + requests: + cpu: "0.5" + memory: "128Mi" + - name: redis-container + image: redis:latest + ports: + - containerPort: 6379 + resources: + limits: + cpu: "0.5" + memory: "512Mi" + requests: + cpu: "0.25" + memory: "256Mi" + - name: busybox-container + image: busybox:latest + command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"] + resources: + limits: + cpu: "0.5" + memory: "128Mi" + requests: + cpu: "0.25" + memory: "64Mi" diff --git a/test/conformance/chainsaw/exceptions/conditions/exception.yaml b/test/conformance/chainsaw/exceptions/conditions/exception.yaml new file mode 100644 index 0000000000..e7a8ede127 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/conditions/exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: container-exception +spec: + exceptions: + - policyName: max-containers + ruleNames: + - max-two-containers + - autogen-max-two-containers + match: + any: + - resources: + kinds: + - Pod + - Deployment + conditions: + any: + - key: "{{ request.object.metadata.labels.color || '' }}" + operator: Equals + value: blue diff --git a/test/conformance/chainsaw/exceptions/conditions/good-deployment.yaml b/test/conformance/chainsaw/exceptions/conditions/good-deployment.yaml new file mode 100644 index 0000000000..c2b8a0204c --- /dev/null +++ b/test/conformance/chainsaw/exceptions/conditions/good-deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: my-app + color: blue +spec: + replicas: 3 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + color: blue + spec: + containers: + - name: nginx-container + image: nginx:latest + ports: + - containerPort: 80 + resources: + limits: + cpu: "1" + memory: "256Mi" + requests: + cpu: "0.5" + memory: "128Mi" + - name: redis-container + image: redis:latest + ports: + - containerPort: 6379 + resources: + limits: + cpu: "0.5" + memory: "512Mi" + requests: + cpu: "0.25" + memory: "256Mi" + - name: busybox-container + image: busybox:latest + command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"] + resources: + limits: + cpu: "0.5" + memory: "128Mi" + requests: + cpu: "0.25" + memory: "64Mi" diff --git a/test/conformance/chainsaw/exceptions/conditions/policy.yaml b/test/conformance/chainsaw/exceptions/conditions/policy.yaml new file mode 100644 index 0000000000..2e66ed1429 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/conditions/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: max-containers +spec: + validationFailureAction: Enforce + background: false + rules: + - name: max-two-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: "A maximum of 2 containers are allowed inside a Pod." + deny: + conditions: + any: + - key: "{{request.object.spec.containers[] | length(@)}}" + operator: GreaterThan + value: "2" diff --git a/test/conformance/chainsaw/exceptions/events-creation/01-policy.yaml b/test/conformance/chainsaw/exceptions/events-creation/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/events-creation/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/exceptions/events-creation/02-exception.yaml b/test/conformance/chainsaw/exceptions/events-creation/02-exception.yaml new file mode 100644 index 0000000000..ac9893ec40 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/events-creation/02-exception.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-events-creation-polex-ns +--- +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: policy-exception-allow-latest + namespace: policy-exception-events-creation-polex-ns +spec: + exceptions: + - policyName: disallow-latest-tag-events-creation + ruleNames: + - validate-image-tag + match: + any: + - resources: + namespaces: + - policy-exception-events-creation-ns diff --git a/test/conformance/chainsaw/exceptions/events-creation/03-manifests.yaml b/test/conformance/chainsaw/exceptions/events-creation/03-manifests.yaml new file mode 100644 index 0000000000..8fc90f127d --- /dev/null +++ b/test/conformance/chainsaw/exceptions/events-creation/03-manifests.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-events-creation-ns +--- +apiVersion: v1 +kind: Pod +metadata: + name: policy-exception-events-creation-pod + namespace: policy-exception-events-creation-ns +spec: + containers: + - image: nginx + name: nginx + diff --git a/test/conformance/chainsaw/exceptions/events-creation/04-sleep.yaml b/test/conformance/chainsaw/exceptions/events-creation/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/events-creation/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/exceptions/events-creation/05-assert.yaml b/test/conformance/chainsaw/exceptions/events-creation/05-assert.yaml new file mode 100644 index 0000000000..6b27b1d1fd --- /dev/null +++ b/test/conformance/chainsaw/exceptions/events-creation/05-assert.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +involvedObject: + apiVersion: kyverno.io/v2beta1 + kind: PolicyException + name: policy-exception-allow-latest + namespace: policy-exception-events-creation-polex-ns +kind: Event +metadata: + namespace: policy-exception-events-creation-polex-ns +reason: PolicySkipped +reportingComponent: kyverno-admission +type: Normal +--- +apiVersion: v1 +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-latest-tag-events-creation +kind: Event +metadata: + namespace: default +reason: PolicySkipped +reportingComponent: kyverno-admission +type: Normal diff --git a/test/conformance/chainsaw/exceptions/events-creation/README.md b/test/conformance/chainsaw/exceptions/events-creation/README.md new file mode 100644 index 0000000000..e0e79f97db --- /dev/null +++ b/test/conformance/chainsaw/exceptions/events-creation/README.md @@ -0,0 +1,14 @@ +## Description + +This test checks the events are generated properly for policyexceptions. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above but for a specific namespace +1. - Try to create a pod, expecting two events are created, one for the clusterpolicy, another is for policyexception + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6469 diff --git a/test/conformance/chainsaw/exceptions/events-creation/policy-assert.yaml b/test/conformance/chainsaw/exceptions/events-creation/policy-assert.yaml new file mode 100644 index 0000000000..94acb8259d --- /dev/null +++ b/test/conformance/chainsaw/exceptions/events-creation/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag-events-creation +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/events-creation/policy.yaml b/test/conformance/chainsaw/exceptions/events-creation/policy.yaml new file mode 100644 index 0000000000..bad86e81b3 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/events-creation/policy.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Best Practices + policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead + to unexpected errors if the image changes. A best practice is to use an immutable + tag that maps to a specific version of an application Pod. This policy validates + that the image specifies a tag and that it is not called `latest`. ' + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/title: Disallow Latest Tag + name: disallow-latest-tag-events-creation +spec: + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: An image tag is required (:latest is not allowed) + pattern: + spec: + containers: + - image: '!*:latest & *:*' + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/01-policy.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/02-exception.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/02-exception.yaml new file mode 100644 index 0000000000..b5b31d4d2a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/02-exception.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: exception +spec: + timeouts: {} + try: + - apply: + file: exception.yaml diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/03-configmap.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/03-configmap.yaml new file mode 100644 index 0000000000..ca5e9e866c --- /dev/null +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/03-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: configmap +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: configmap.yaml diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/README.md b/test/conformance/chainsaw/exceptions/only-for-specific-user/README.md new file mode 100644 index 0000000000..76c75a707a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/README.md @@ -0,0 +1,15 @@ +## Description + +This test creates a policy, a policy exception and tries to create a configmap that violates the policy. +The exception should not apply as it is for a specific user and the configmap creation is expected to be rejected. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above but for a specific user +1. - Try to create a confimap, expecting the creation to fail + +## Reference Issue(s) + +5930 diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/configmap.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/configmap.yaml new file mode 100644 index 0000000000..c9323595fb --- /dev/null +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/configmap.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: emergency diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml new file mode 100644 index 0000000000..b5beaf8848 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: mynewpolex +spec: + background: false + exceptions: + - policyName: require-labels + ruleNames: + - require-team + match: + any: + - resources: + kinds: + - ConfigMap + names: + - emergency + subjects: + - kind: User + name: chip diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/policy-assert.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy-assert.yaml new file mode 100644 index 0000000000..b0bd73c54e --- /dev/null +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml new file mode 100644 index 0000000000..7e9c5d923d --- /dev/null +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/01-policy.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/with-wildcard/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/02-exception.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/02-exception.yaml new file mode 100644 index 0000000000..b5b31d4d2a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/with-wildcard/02-exception.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: exception +spec: + timeouts: {} + try: + - apply: + file: exception.yaml diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/03-configmap.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/03-configmap.yaml new file mode 100644 index 0000000000..89f0b17167 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/with-wildcard/03-configmap.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: configmap +spec: + timeouts: {} + try: + - apply: + file: configmap-allowed.yaml + - apply: + check: + (error != null): true + file: configmap-rejected.yaml + - assert: + file: configmap-allowed.yaml + - error: + file: configmap-rejected.yaml diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/README.md b/test/conformance/chainsaw/exceptions/with-wildcard/README.md new file mode 100644 index 0000000000..5d46af5626 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/with-wildcard/README.md @@ -0,0 +1,13 @@ +## Description + +This test creates a policy, a policy exception and tries to create a couple configmaps. +The policy exception is configured to apply only to the `emergency` configmap and has wildcard in the rule name. +The `emergency` configmap is expected to create fine while other configmaps creations should fail. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency` +1. - Try to create a confimap named `emergency`, expecting the creation to succeed + - Try to create a confimap named `foo`, expecting the creation to fail diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/configmap-allowed.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/configmap-allowed.yaml new file mode 100644 index 0000000000..c9323595fb --- /dev/null +++ b/test/conformance/chainsaw/exceptions/with-wildcard/configmap-allowed.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: emergency diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/configmap-rejected.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/configmap-rejected.yaml new file mode 100644 index 0000000000..2a4a424bcb --- /dev/null +++ b/test/conformance/chainsaw/exceptions/with-wildcard/configmap-rejected.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: foo diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml new file mode 100644 index 0000000000..9ded4a7449 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: mynewpolex +spec: + exceptions: + - policyName: require-labels + ruleNames: + - another-rule + - require-* + match: + any: + - resources: + kinds: + - ConfigMap + names: + - emergency diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/policy-assert.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/policy-assert.yaml new file mode 100644 index 0000000000..b0bd73c54e --- /dev/null +++ b/test/conformance/chainsaw/exceptions/with-wildcard/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml new file mode 100644 index 0000000000..7e9c5d923d --- /dev/null +++ b/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/01-policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/02-resource.yaml b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/02-resource.yaml new file mode 100644 index 0000000000..36f9a5b5d3 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/README.md b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/README.md new file mode 100644 index 0000000000..8d4dcb4f30 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, excluding service account `system:serviceaccount:kyverno:kyverno`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be denied (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy-assert.yaml b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml new file mode 100644 index 0000000000..172b3a2037 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - subjects: + - kind: ServiceAccount + name: kyverno + namespace: kyverno + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/resource.yaml b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/exclude/sa/wildcard/01-policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/wildcard/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/wildcard/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/exclude/sa/wildcard/02-resource.yaml b/test/conformance/chainsaw/filter/exclude/sa/wildcard/02-resource.yaml new file mode 100644 index 0000000000..36f9a5b5d3 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/wildcard/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/exclude/sa/wildcard/README.md b/test/conformance/chainsaw/filter/exclude/sa/wildcard/README.md new file mode 100644 index 0000000000..fe454ef26b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/wildcard/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, excluding service account `system:serviceaccount:?*:?*`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be denied (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy-assert.yaml b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml new file mode 100644 index 0000000000..5a780f0b21 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - subjects: + - kind: ServiceAccount + name: '?*' + namespace: '?*' + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/sa/wildcard/resource.yaml b/test/conformance/chainsaw/filter/exclude/sa/wildcard/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/sa/wildcard/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/01-policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/02-resource.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/02-resource.yaml new file mode 100644 index 0000000000..36f9a5b5d3 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/README.md b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/README.md new file mode 100644 index 0000000000..f2711a54bc --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, excluding users `not-kubernetes-admin`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be denied (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy-assert.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml new file mode 100644 index 0000000000..3f258d6215 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - subjects: + - kind: User + name: not-kubernetes-admin + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/resource.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/01-policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/02-resource.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/02-resource.yaml new file mode 100644 index 0000000000..e750d48225 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/02-resource.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/README.md b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/README.md new file mode 100644 index 0000000000..41a04ba99f --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, excluding users `kubernetes-admin`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be accepted (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy-assert.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml new file mode 100644 index 0000000000..6dbdc24a99 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - subjects: + - kind: User + name: kubernetes-admin + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/resource.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/01-policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/02-resource.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/02-resource.yaml new file mode 100644 index 0000000000..36f9a5b5d3 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/README.md b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/README.md new file mode 100644 index 0000000000..62724a00ec --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, excluding users with wildcard `not-?*`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be denied (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy-assert.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml new file mode 100644 index 0000000000..5320014c97 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - subjects: + - kind: User + name: not-?* + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/resource.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/01-policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/02-resource.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/02-resource.yaml new file mode 100644 index 0000000000..e750d48225 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/02-resource.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/README.md b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/README.md new file mode 100644 index 0000000000..8a2f239a0a --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, excluding users with wildcard `?*`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be accepted (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy-assert.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml new file mode 100644 index 0000000000..b92e77c337 --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - subjects: + - kind: User + name: '?*' + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/resource.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/match/sa/no-wildcard/01-policy.yaml b/test/conformance/chainsaw/filter/match/sa/no-wildcard/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/no-wildcard/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/match/sa/no-wildcard/02-resource.yaml b/test/conformance/chainsaw/filter/match/sa/no-wildcard/02-resource.yaml new file mode 100644 index 0000000000..e750d48225 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/no-wildcard/02-resource.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/match/sa/no-wildcard/README.md b/test/conformance/chainsaw/filter/match/sa/no-wildcard/README.md new file mode 100644 index 0000000000..b48c686463 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/no-wildcard/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, matching service account `system:serviceaccount:kyverno:kyverno`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be accepted (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy-assert.yaml b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml new file mode 100644 index 0000000000..4968d662ca --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + subjects: + - kind: ServiceAccount + name: kyverno + namespace: kyverno + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/match/sa/no-wildcard/resource.yaml b/test/conformance/chainsaw/filter/match/sa/no-wildcard/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/no-wildcard/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/match/sa/wildcard/01-policy.yaml b/test/conformance/chainsaw/filter/match/sa/wildcard/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/wildcard/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/match/sa/wildcard/02-resource.yaml b/test/conformance/chainsaw/filter/match/sa/wildcard/02-resource.yaml new file mode 100644 index 0000000000..e750d48225 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/wildcard/02-resource.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/match/sa/wildcard/README.md b/test/conformance/chainsaw/filter/match/sa/wildcard/README.md new file mode 100644 index 0000000000..058a113b6b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/wildcard/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, matching service account `system:serviceaccount:?*:?*`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be accepted (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/match/sa/wildcard/policy-assert.yaml b/test/conformance/chainsaw/filter/match/sa/wildcard/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/wildcard/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml b/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml new file mode 100644 index 0000000000..cfe930ca08 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + subjects: + - kind: ServiceAccount + name: '?*' + namespace: '?*' + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/match/sa/wildcard/resource.yaml b/test/conformance/chainsaw/filter/match/sa/wildcard/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/sa/wildcard/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/01-policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/02-resource.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/02-resource.yaml new file mode 100644 index 0000000000..36f9a5b5d3 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/README.md b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/README.md new file mode 100644 index 0000000000..ba0463ebf6 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, matching users `kubernetes-admin`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be denied (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy-assert.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml new file mode 100644 index 0000000000..5a269a41b6 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + subjects: + - kind: User + name: kubernetes-admin + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/resource.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/01-policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/02-resource.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/02-resource.yaml new file mode 100644 index 0000000000..e750d48225 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/02-resource.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/README.md b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/README.md new file mode 100644 index 0000000000..a69cb1b559 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, matching users `not-kubernetes-admin`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be accepted (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy-assert.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml new file mode 100644 index 0000000000..d4f8b61e2a --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + subjects: + - kind: User + name: not-kubernetes-admin + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/resource.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/block/01-policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/block/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/block/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/block/02-resource.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/block/02-resource.yaml new file mode 100644 index 0000000000..36f9a5b5d3 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/block/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/block/README.md b/test/conformance/chainsaw/filter/match/user/wildcard/block/README.md new file mode 100644 index 0000000000..2871c9c2b4 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/block/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, matching users with wildcard `?*`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be denied (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/block/policy-assert.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml new file mode 100644 index 0000000000..391727e652 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + subjects: + - kind: User + name: '?*' + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/block/resource.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/block/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/block/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/pass/01-policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/pass/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/pass/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/pass/02-resource.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/pass/02-resource.yaml new file mode 100644 index 0000000000..e750d48225 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/pass/02-resource.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/pass/README.md b/test/conformance/chainsaw/filter/match/user/wildcard/pass/README.md new file mode 100644 index 0000000000..b3791bd8e0 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/pass/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, matching users with wildcard `not-?*`. +This policy denies pod creation. + +## Expected Behavior + +The pod should be accepted (user is `kubernetes-admin`). + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7938 diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy-assert.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy-assert.yaml new file mode 100644 index 0000000000..a7c862fb2b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml new file mode 100644 index 0000000000..5cc4323566 --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-pod +spec: + validationFailureAction: Enforce + background: false + rules: + - name: block-pod + match: + any: + - resources: + kinds: + - Pod + subjects: + - kind: User + name: not-?* + validate: + deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/pass/resource.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/pass/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/filter/match/user/wildcard/pass/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80