diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index e674c37907..896be394e7 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -181,7 +181,7 @@ jobs: - background-only # - cleanup # - deferred - # - events + - events # - exceptions # - filter # - generate/clusterpolicy @@ -234,9 +234,9 @@ jobs: - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Install Chainsaw - uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main + uses: kyverno/chainsaw/.github/actions/install@f8cd497926b60e53f722732d33ec71e875bf213c # main with: - release: v0.0.6-alpha.2 + release: v0.0.6-alpha.3 - name: Test with Chainsaw shell: bash env: diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/01-crd.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/01-crd.yaml new file mode 100644 index 0000000000..2020f4b7e7 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/01-crd.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: crd +spec: + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/02-policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/02-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/02-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/03-resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/03-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/03-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/04-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/04-event.yaml new file mode 100644 index 0000000000..f64bb341f7 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/04-event.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: event +spec: + try: + - assert: + file: event.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/README.md b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/README.md new file mode 100644 index 0000000000..38ae3c7ef8 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/README.md @@ -0,0 +1,15 @@ +## Description + +This test creates a generate policy, and a resource. A `PolicyError` event should be created upon the failure. + +## Steps + +1. - Create a policy + - Assert the policy becomes ready +1. - Create a resource +1. - Asset a `PolicyError` event is created + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/pull/8466 +https://github.com/kyverno/kyverno/pull/1413 diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/crd-assert.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/crd-assert.yaml new file mode 100644 index 0000000000..ea60c1e395 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/crd-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: roles.iam.aws.crossplane.io +status: + acceptedNames: + kind: Role + listKind: RoleList + plural: roles + singular: role diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/crd.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/crd.yaml new file mode 100644 index 0000000000..c2a379e3d0 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/crd.yaml @@ -0,0 +1,234 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: roles.iam.aws.crossplane.io +spec: + group: iam.aws.crossplane.io + names: + categories: + - crossplane + - managed + - aws + kind: Role + listKind: RoleList + plural: roles + shortNames: + - iamrole + singular: role + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: An Role is a managed resource that represents an AWS IAM Role. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: An RoleSpec defines the desired state of an Role. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: RoleParameters define the desired state of an AWS IAM + Role. + properties: + assumeRolePolicyDocument: + description: AssumeRolePolicyDocument is the the trust relationship + policy document that grants an entity permission to assume the + role. + type: string + description: + description: Description is a description of the role. + type: string + maxSessionDuration: + description: 'MaxSessionDuration is the duration (in seconds) + that you want to set for the specified role. The default maximum + of one hour is applied. This setting can have a value from 1 + hour to 12 hours. Default: 3600' + format: int32 + type: integer + path: + description: 'Path is the path to the role. Default: /' + type: string + permissionsBoundary: + description: PermissionsBoundary is the ARN of the policy that + is used to set the permissions boundary for the role. + type: string + tags: + description: Tags. For more information about tagging, see Tagging + IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + items: + description: Tag represents user-provided metadata that can + be associated with a IAM role. For more information about + tagging, see Tagging IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + description: The key name that can be used to look up or + retrieve the associated value. For example, Department + or Cost Center are common choices. + type: string + value: + description: "The value associated with this tag. For example, + tags with a key name of Department could have values such + as Human Resources, Accounting, and Support. Tags with + a key name of Cost Center might have values that consist + of the number associated with the different cost centers + in your company. Typically, many resources have tags with + the same key name but with different values. \n AWS always + interprets the tag Value as a single string. If you need + to store an array, you can store comma-separated values + in the string. However, you must interpret the value in + your code." + type: string + required: + - key + type: object + type: array + required: + - assumeRolePolicyDocument + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: An RoleStatus represents the observed state of an Role. + properties: + atProvider: + description: RoleExternalStatus keeps the state for the external resource + properties: + arn: + description: ARN is the Amazon Resource Name (ARN) specifying + the role. For more information about ARNs and how to use them + in policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide guide. + type: string + roleID: + description: RoleID is the stable and unique string identifying + the role. For more information about IDs, see IAM Identifiers + (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the Using IAM guide. + type: string + required: + - arn + - roleID + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: + - v1beta1 diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/event.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/event.yaml new file mode 100644 index 0000000000..cbb6f6ae86 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/event.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: rbac-policy +reason: PolicyError +reportingComponent: kyverno-generate diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/policy-assert.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/policy-assert.yaml new file mode 100644 index 0000000000..620afcda89 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: rbac-policy +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/policy.yaml new file mode 100644 index 0000000000..a3ae4a2f8c --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: rbac-policy +spec: + rules: + - name: rbac-rule + generate: + apiVersion: iam.aws.crossplane.io/v1beta1 + data: + rules: + - verbs: + - "*" + apiGroups: + - "*" + resources: + - "*" + kind: Role + name: superuser + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + names: + - ns-2 diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/resource.yaml new file mode 100644 index 0000000000..537d944dcd --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ns-2 diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/03-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/03-event.yaml new file mode 100644 index 0000000000..0caa659f29 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/03-event.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: event +spec: + try: + - assert: + file: policy-event.yaml + - assert: + file: resource-event.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/README.md b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/README.md new file mode 100644 index 0000000000..0da4c4dc51 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/README.md @@ -0,0 +1,14 @@ +## Description + +This test creates a generate policy, and the trigger resource (namespace). +Two events are generated: +1. An event for the policy to indicate that a new resource is generated. +2. An event for the generated resource itself. + +## Steps + +1. - Create a generate policy + - Assert the policy becomes ready +2. Create the namespace. +3. - An event is created for the policy with message "resource generated" + - An event is created for the generated resource. diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/policy-assert.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/policy-assert.yaml new file mode 100644 index 0000000000..8598c5b56d --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/policy-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/policy-event.yaml new file mode 100644 index 0000000000..f10e9bbafc --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/policy-event.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: zk-kafka-address +type: Normal +message: resource generated +reason: PolicyApplied +action: Resource Generated +reportingComponent: kyverno-generate diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/policy.yaml new file mode 100644 index 0000000000..1038f1c5f2 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + # generate the resource in the new namespace + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/resource-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/resource-event.yaml new file mode 100644 index 0000000000..cb7ee084e6 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/resource-event.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: test-ns +involvedObject: + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: test-ns +type: Normal +reason: PolicyApplied +action: None +reportingComponent: kyverno-generate diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/resource.yaml new file mode 100644 index 0000000000..bdf2ddb764 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-ns diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml new file mode 100644 index 0000000000..97e3d158d5 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: event +spec: + try: + - assert: + file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/README.md b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/README.md new file mode 100644 index 0000000000..04cedd7b27 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a mutate policy which adds labels to the newly created config maps. +An event is generated upon successful generation. + +## Steps + +1. - Create a mutate policy + - Assert the policy becomes ready +2. Create a configmap. +3. An event is created with a message indicating that the config map is successfully mutated. diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/event-assert.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/event-assert.yaml new file mode 100644 index 0000000000..9827ac90f6 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/event-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: add-labels +type: Normal +reason: PolicyApplied +action: Resource Mutated +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/policy-assert.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/policy-assert.yaml new file mode 100644 index 0000000000..721c465283 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/policy.yaml new file mode 100644 index 0000000000..aa0f7068ff --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +spec: + rules: + - name: add-foo + match: + any: + - resources: + kinds: + - ConfigMap + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/resource.yaml new file mode 100644 index 0000000000..973de47345 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/resource.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: game-demo +data: + key: "some value" diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml new file mode 100644 index 0000000000..b8a73812df --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: event +spec: + try: + - error: + file: event.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/README.md b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/README.md new file mode 100644 index 0000000000..41c59fd108 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a generate policy, and the trigger resource (namespace) `ns-1` which is excluded by the policy. +No events generated since the `ns-1` + +## Steps + +1. - Create a generate policy + - Assert the policy becomes ready +2. Create the namespace. +3. No events generated as the rule result is `skip` diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/event.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/event.yaml new file mode 100644 index 0000000000..0e0f4dcd93 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/event.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: default +reportingComponent: kyverno-generate diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/policy-assert.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/policy-assert.yaml new file mode 100644 index 0000000000..a434cb1fb9 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: default +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/policy.yaml new file mode 100644 index 0000000000..e8efe4a8e7 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: default +spec: + rules: + - name: deny-all-traffic + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - test-ns + - ns-1 + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: deny-all-traffic + namespace: "{{request.object.metadata.name}}" + data: + spec: + # select all pods in the namespace + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/resource.yaml new file mode 100644 index 0000000000..73054ba477 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ns-1 diff --git a/test/conformance/chainsaw/events/policy/policy-applied/01-policy.yaml b/test/conformance/chainsaw/events/policy/policy-applied/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-applied/02-resource.yaml b/test/conformance/chainsaw/events/policy/policy-applied/02-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied/02-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-applied/03-event.yaml b/test/conformance/chainsaw/events/policy/policy-applied/03-event.yaml new file mode 100644 index 0000000000..97e3d158d5 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied/03-event.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: event +spec: + try: + - assert: + file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-applied/README.md b/test/conformance/chainsaw/events/policy/policy-applied/README.md new file mode 100644 index 0000000000..a5f5debf1b --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a policy, and a resource. +A `PolicyApplied` event should be created. + +## Steps + +1. - Create a policy + - Assert the policy becomes ready +1. - Create a resource +1. - Asset a `PolicyApplied` event is created diff --git a/test/conformance/chainsaw/events/policy/policy-applied/event-assert.yaml b/test/conformance/chainsaw/events/policy/policy-applied/event-assert.yaml new file mode 100644 index 0000000000..f66222be12 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied/event-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: {} +involvedObject: + apiVersion: kyverno.io/v1 + kind: Policy + name: require-labels +type: Normal +reason: PolicyApplied +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/events/policy/policy-applied/policy-assert.yaml b/test/conformance/chainsaw/events/policy/policy-applied/policy-assert.yaml new file mode 100644 index 0000000000..bc25d0fdf8 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml b/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml new file mode 100644 index 0000000000..9ba84f9f23 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/events/policy/policy-applied/resource.yaml b/test/conformance/chainsaw/events/policy/policy-applied/resource.yaml new file mode 100644 index 0000000000..4777dd31fd --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied/resource.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: foo + labels: + team: kyverno + \ No newline at end of file diff --git a/test/conformance/chainsaw/events/policy/policy-violation/01-policy.yaml b/test/conformance/chainsaw/events/policy/policy-violation/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-violation/02-resource.yaml b/test/conformance/chainsaw/events/policy/policy-violation/02-resource.yaml new file mode 100644 index 0000000000..64cdfafd61 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation/02-resource.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml + check: + (error == null): false diff --git a/test/conformance/chainsaw/events/policy/policy-violation/03-event.yaml b/test/conformance/chainsaw/events/policy/policy-violation/03-event.yaml new file mode 100644 index 0000000000..97e3d158d5 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation/03-event.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: event +spec: + try: + - assert: + file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-violation/README.md b/test/conformance/chainsaw/events/policy/policy-violation/README.md new file mode 100644 index 0000000000..87b6fc1c04 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, and a resource. +The resource is expected to be rejected. +A `PolicyViolation` event should be created. + +## Steps + +1. - Create a policy + - Assert the policy becomes ready +1. - Try to create a resource, expecting the creation to fail +1. - Asset a `PolicyViolation` event is created diff --git a/test/conformance/chainsaw/events/policy/policy-violation/event-assert.yaml b/test/conformance/chainsaw/events/policy/policy-violation/event-assert.yaml new file mode 100644 index 0000000000..cc0c40b6d5 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation/event-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: {} +involvedObject: + apiVersion: kyverno.io/v1 + kind: Policy + name: require-labels +type: Warning +reason: PolicyViolation +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/events/policy/policy-violation/policy-assert.yaml b/test/conformance/chainsaw/events/policy/policy-violation/policy-assert.yaml new file mode 100644 index 0000000000..bc25d0fdf8 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml b/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml new file mode 100644 index 0000000000..9ba84f9f23 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/events/policy/policy-violation/resource.yaml b/test/conformance/chainsaw/events/policy/policy-violation/resource.yaml new file mode 100644 index 0000000000..2a4a424bcb --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: foo