mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 18:38:40 +00:00
chore: run events test suite using chainsaw (#8951)
* chore: run events test suite using chainsaw Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chainsaw main test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * bump chainsaw Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Mariam Fahmy
GitHub
parent
058c162007
commit
6d7571f4bb
53 changed files with 804 additions and 3 deletions
6
.github/workflows/conformance.yaml
vendored
6
.github/workflows/conformance.yaml
vendored
|
|
@ -181,7 +181,7 @@ jobs:
|
|||
- background-only
|
||||
# - cleanup
|
||||
# - deferred
|
||||
# - events
|
||||
- events
|
||||
# - exceptions
|
||||
# - filter
|
||||
# - generate/clusterpolicy
|
||||
|
|
@ -234,9 +234,9 @@ jobs:
|
|||
- name: Wait for kyverno ready
|
||||
uses: ./.github/actions/kyverno-wait-ready
|
||||
- name: Install Chainsaw
|
||||
uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main
|
||||
uses: kyverno/chainsaw/.github/actions/install@f8cd497926b60e53f722732d33ec71e875bf213c # main
|
||||
with:
|
||||
release: v0.0.6-alpha.2
|
||||
release: v0.0.6-alpha.3
|
||||
- name: Test with Chainsaw
|
||||
shell: bash
|
||||
env:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: crd
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
- assert:
|
||||
file: crd-assert.yaml
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: policy
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: resource
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: event
|
||||
spec:
|
||||
try:
|
||||
- assert:
|
||||
file: event.yaml
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
## Description
|
||||
|
||||
This test creates a generate policy, and a resource. A `PolicyError` event should be created upon the failure.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a resource
|
||||
1. - Asset a `PolicyError` event is created
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/pull/8466
|
||||
https://github.com/kyverno/kyverno/pull/1413
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: roles.iam.aws.crossplane.io
|
||||
status:
|
||||
acceptedNames:
|
||||
kind: Role
|
||||
listKind: RoleList
|
||||
plural: roles
|
||||
singular: role
|
||||
|
|
@ -0,0 +1,234 @@
|
|||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: roles.iam.aws.crossplane.io
|
||||
spec:
|
||||
group: iam.aws.crossplane.io
|
||||
names:
|
||||
categories:
|
||||
- crossplane
|
||||
- managed
|
||||
- aws
|
||||
kind: Role
|
||||
listKind: RoleList
|
||||
plural: roles
|
||||
shortNames:
|
||||
- iamrole
|
||||
singular: role
|
||||
scope: Cluster
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .status.conditions[?(@.type=='Ready')].status
|
||||
name: READY
|
||||
type: string
|
||||
- jsonPath: .status.conditions[?(@.type=='Synced')].status
|
||||
name: SYNCED
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
name: v1beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: An Role is a managed resource that represents an AWS IAM Role.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: An RoleSpec defines the desired state of an Role.
|
||||
properties:
|
||||
deletionPolicy:
|
||||
default: Delete
|
||||
description: DeletionPolicy specifies what will happen to the underlying
|
||||
external when this managed resource is deleted - either "Delete"
|
||||
or "Orphan" the external resource.
|
||||
enum:
|
||||
- Orphan
|
||||
- Delete
|
||||
type: string
|
||||
forProvider:
|
||||
description: RoleParameters define the desired state of an AWS IAM
|
||||
Role.
|
||||
properties:
|
||||
assumeRolePolicyDocument:
|
||||
description: AssumeRolePolicyDocument is the the trust relationship
|
||||
policy document that grants an entity permission to assume the
|
||||
role.
|
||||
type: string
|
||||
description:
|
||||
description: Description is a description of the role.
|
||||
type: string
|
||||
maxSessionDuration:
|
||||
description: 'MaxSessionDuration is the duration (in seconds)
|
||||
that you want to set for the specified role. The default maximum
|
||||
of one hour is applied. This setting can have a value from 1
|
||||
hour to 12 hours. Default: 3600'
|
||||
format: int32
|
||||
type: integer
|
||||
path:
|
||||
description: 'Path is the path to the role. Default: /'
|
||||
type: string
|
||||
permissionsBoundary:
|
||||
description: PermissionsBoundary is the ARN of the policy that
|
||||
is used to set the permissions boundary for the role.
|
||||
type: string
|
||||
tags:
|
||||
description: Tags. For more information about tagging, see Tagging
|
||||
IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)
|
||||
in the IAM User Guide.
|
||||
items:
|
||||
description: Tag represents user-provided metadata that can
|
||||
be associated with a IAM role. For more information about
|
||||
tagging, see Tagging IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)
|
||||
in the IAM User Guide.
|
||||
properties:
|
||||
key:
|
||||
description: The key name that can be used to look up or
|
||||
retrieve the associated value. For example, Department
|
||||
or Cost Center are common choices.
|
||||
type: string
|
||||
value:
|
||||
description: "The value associated with this tag. For example,
|
||||
tags with a key name of Department could have values such
|
||||
as Human Resources, Accounting, and Support. Tags with
|
||||
a key name of Cost Center might have values that consist
|
||||
of the number associated with the different cost centers
|
||||
in your company. Typically, many resources have tags with
|
||||
the same key name but with different values. \n AWS always
|
||||
interprets the tag Value as a single string. If you need
|
||||
to store an array, you can store comma-separated values
|
||||
in the string. However, you must interpret the value in
|
||||
your code."
|
||||
type: string
|
||||
required:
|
||||
- key
|
||||
type: object
|
||||
type: array
|
||||
required:
|
||||
- assumeRolePolicyDocument
|
||||
type: object
|
||||
providerConfigRef:
|
||||
default:
|
||||
name: default
|
||||
description: ProviderConfigReference specifies how the provider that
|
||||
will be used to create, observe, update, and delete this managed
|
||||
resource should be configured.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the referenced object.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
providerRef:
|
||||
description: 'ProviderReference specifies the provider that will be
|
||||
used to create, observe, update, and delete this managed resource.
|
||||
Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`'
|
||||
properties:
|
||||
name:
|
||||
description: Name of the referenced object.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
writeConnectionSecretToRef:
|
||||
description: WriteConnectionSecretToReference specifies the namespace
|
||||
and name of a Secret to which any connection details for this managed
|
||||
resource should be written. Connection details frequently include
|
||||
the endpoint, username, and password required to connect to the
|
||||
managed resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the secret.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the secret.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- namespace
|
||||
type: object
|
||||
required:
|
||||
- forProvider
|
||||
type: object
|
||||
status:
|
||||
description: An RoleStatus represents the observed state of an Role.
|
||||
properties:
|
||||
atProvider:
|
||||
description: RoleExternalStatus keeps the state for the external resource
|
||||
properties:
|
||||
arn:
|
||||
description: ARN is the Amazon Resource Name (ARN) specifying
|
||||
the role. For more information about ARNs and how to use them
|
||||
in policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
|
||||
in the IAM User Guide guide.
|
||||
type: string
|
||||
roleID:
|
||||
description: RoleID is the stable and unique string identifying
|
||||
the role. For more information about IDs, see IAM Identifiers
|
||||
(http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
|
||||
in the Using IAM guide.
|
||||
type: string
|
||||
required:
|
||||
- arn
|
||||
- roleID
|
||||
type: object
|
||||
conditions:
|
||||
description: Conditions of the resource.
|
||||
items:
|
||||
description: A Condition that may apply to a resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: LastTransitionTime is the last time this condition
|
||||
transitioned from one status to another.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: A Message containing details about this condition's
|
||||
last transition from one status to another, if any.
|
||||
type: string
|
||||
reason:
|
||||
description: A Reason for this condition's last transition from
|
||||
one status to another.
|
||||
type: string
|
||||
status:
|
||||
description: Status of this condition; is it currently True,
|
||||
False, or Unknown?
|
||||
type: string
|
||||
type:
|
||||
description: Type of this condition. At most one of each condition
|
||||
type may apply to a resource at any point in time.
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
status:
|
||||
acceptedNames:
|
||||
kind: ""
|
||||
plural: ""
|
||||
conditions: []
|
||||
storedVersions:
|
||||
- v1beta1
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Event
|
||||
metadata:
|
||||
namespace: default
|
||||
involvedObject:
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: rbac-policy
|
||||
reason: PolicyError
|
||||
reportingComponent: kyverno-generate
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: rbac-policy
|
||||
spec: {}
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: rbac-policy
|
||||
spec:
|
||||
rules:
|
||||
- name: rbac-rule
|
||||
generate:
|
||||
apiVersion: iam.aws.crossplane.io/v1beta1
|
||||
data:
|
||||
rules:
|
||||
- verbs:
|
||||
- "*"
|
||||
apiGroups:
|
||||
- "*"
|
||||
resources:
|
||||
- "*"
|
||||
kind: Role
|
||||
name: superuser
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
names:
|
||||
- ns-2
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: ns-2
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: policy
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: resource
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: event
|
||||
spec:
|
||||
try:
|
||||
- assert:
|
||||
file: policy-event.yaml
|
||||
- assert:
|
||||
file: resource-event.yaml
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
## Description
|
||||
|
||||
This test creates a generate policy, and the trigger resource (namespace).
|
||||
Two events are generated:
|
||||
1. An event for the policy to indicate that a new resource is generated.
|
||||
2. An event for the generated resource itself.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a generate policy
|
||||
- Assert the policy becomes ready
|
||||
2. Create the namespace.
|
||||
3. - An event is created for the policy with message "resource generated"
|
||||
- An event is created for the generated resource.
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: zk-kafka-address
|
||||
spec: {}
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
kind: Event
|
||||
metadata:
|
||||
namespace: default
|
||||
involvedObject:
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: zk-kafka-address
|
||||
type: Normal
|
||||
message: resource generated
|
||||
reason: PolicyApplied
|
||||
action: Resource Generated
|
||||
reportingComponent: kyverno-generate
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: zk-kafka-address
|
||||
spec:
|
||||
rules:
|
||||
- name: k-kafka-address
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
# generate the resource in the new namespace
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
kind: Event
|
||||
metadata:
|
||||
namespace: test-ns
|
||||
involvedObject:
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: test-ns
|
||||
type: Normal
|
||||
reason: PolicyApplied
|
||||
action: None
|
||||
reportingComponent: kyverno-generate
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: test-ns
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: policy
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: resource
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: event
|
||||
spec:
|
||||
try:
|
||||
- assert:
|
||||
file: event-assert.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test creates a mutate policy which adds labels to the newly created config maps.
|
||||
An event is generated upon successful generation.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a mutate policy
|
||||
- Assert the policy becomes ready
|
||||
2. Create a configmap.
|
||||
3. An event is created with a message indicating that the config map is successfully mutated.
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
kind: Event
|
||||
metadata:
|
||||
namespace: default
|
||||
involvedObject:
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: add-labels
|
||||
type: Normal
|
||||
reason: PolicyApplied
|
||||
action: Resource Mutated
|
||||
reportingComponent: kyverno-admission
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-labels
|
||||
spec: {}
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-labels
|
||||
spec:
|
||||
rules:
|
||||
- name: add-foo
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: game-demo
|
||||
data:
|
||||
key: "some value"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: policy
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: resource
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: event
|
||||
spec:
|
||||
try:
|
||||
- error:
|
||||
file: event.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test creates a generate policy, and the trigger resource (namespace) `ns-1` which is excluded by the policy.
|
||||
No events generated since the `ns-1`
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a generate policy
|
||||
- Assert the policy becomes ready
|
||||
2. Create the namespace.
|
||||
3. No events generated as the rule result is `skip`
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Event
|
||||
metadata:
|
||||
namespace: default
|
||||
involvedObject:
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: default
|
||||
reportingComponent: kyverno-generate
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: default
|
||||
spec: {}
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: default
|
||||
spec:
|
||||
rules:
|
||||
- name: deny-all-traffic
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- test-ns
|
||||
- ns-1
|
||||
generate:
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
name: deny-all-traffic
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
spec:
|
||||
# select all pods in the namespace
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: ns-1
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: policy
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: resource
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: event
|
||||
spec:
|
||||
try:
|
||||
- assert:
|
||||
file: event-assert.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy, and a resource.
|
||||
A `PolicyApplied` event should be created.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a resource
|
||||
1. - Asset a `PolicyApplied` event is created
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Event
|
||||
metadata: {}
|
||||
involvedObject:
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
name: require-labels
|
||||
type: Normal
|
||||
reason: PolicyApplied
|
||||
reportingComponent: kyverno-admission
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: require-labels
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: require-labels
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
- name: require-team
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
validate:
|
||||
message: 'The label `team` is required.'
|
||||
pattern:
|
||||
metadata:
|
||||
labels:
|
||||
team: '?*'
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: foo
|
||||
labels:
|
||||
team: kyverno
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: policy
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: resource
|
||||
spec:
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
check:
|
||||
(error == null): false
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
name: event
|
||||
spec:
|
||||
try:
|
||||
- assert:
|
||||
file: event-assert.yaml
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy, and a resource.
|
||||
The resource is expected to be rejected.
|
||||
A `PolicyViolation` event should be created.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Try to create a resource, expecting the creation to fail
|
||||
1. - Asset a `PolicyViolation` event is created
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Event
|
||||
metadata: {}
|
||||
involvedObject:
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
name: require-labels
|
||||
type: Warning
|
||||
reason: PolicyViolation
|
||||
reportingComponent: kyverno-admission
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: require-labels
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: require-labels
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
- name: require-team
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
validate:
|
||||
message: 'The label `team` is required.'
|
||||
pattern:
|
||||
metadata:
|
||||
labels:
|
||||
team: '?*'
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: foo
|
||||
Loading…
Add table
Reference in a new issue