1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

NK-31: Fixed supporting policies for Endpoints

This commit is contained in:
belyshevdenis 2019-03-11 16:17:58 +02:00
parent 43bb3a47e7
commit 70b658b359
2 changed files with 183 additions and 183 deletions

View file

@ -11,7 +11,7 @@ var supportedKinds = [...]string{
"CronJob",
"DaemonSet",
"Deployment",
"Endpoint",
"Endpoints",
"HorizontalPodAutoscaler",
"Ingress",
"Job",

View file

@ -1,224 +1,224 @@
package webhooks_test
import (
"testing"
"testing"
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
"github.com/nirmata/kube-policy/webhooks"
v1beta1 "k8s.io/api/admission/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
"github.com/nirmata/kube-policy/webhooks"
v1beta1 "k8s.io/api/admission/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func TestAdmissionIsRequired(t *testing.T) {
var request v1beta1.AdmissionRequest
request.Kind.Kind = "ConfigMap"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "CronJob"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "DaemonSet"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Deployment"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Endpoint"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "HorizontalPodAutoscaler"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Ingress"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Job"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "LimitRange"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Namespace"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "NetworkPolicy"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "PersistentVolumeClaim"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "PodDisruptionBudget"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "PodTemplate"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "ResourceQuota"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Secret"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Service"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "StatefulSet"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
var request v1beta1.AdmissionRequest
request.Kind.Kind = "ConfigMap"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "CronJob"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "DaemonSet"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Deployment"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Endpoints"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "HorizontalPodAutoscaler"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Ingress"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Job"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "LimitRange"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Namespace"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "NetworkPolicy"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "PersistentVolumeClaim"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "PodDisruptionBudget"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "PodTemplate"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "ResourceQuota"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Secret"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "Service"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
request.Kind.Kind = "StatefulSet"
assertEq(t, true, webhooks.AdmissionIsRequired(&request))
}
func TestIsRuleResourceFitsRequest_Kind(t *testing.T) {
resourceName := "test-config-map"
resource := types.PolicyResource{
Kind: "ConfigMap",
Name: &resourceName,
}
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
resourceName := "test-config-map"
resource := types.PolicyResource{
Kind: "ConfigMap",
Name: &resourceName,
}
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
resource.Kind = "Deployment"
assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
resource.Kind = "Deployment"
assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))
}
func TestIsRuleResourceFitsRequest_Name(t *testing.T) {
resourceName := "test-config-map"
resource := types.PolicyResource{
Kind: "ConfigMap",
Name: &resourceName,
}
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
resourceName := "test-config-map"
resource := types.PolicyResource{
Kind: "ConfigMap",
Name: &resourceName,
}
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
resourceName = "test-config-map-new"
assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
resourceName = "test-config-map-new"
assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))
objectByteArray = []byte(`{"metadata":{"name":"test-config-map-new","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
objectByteArray = []byte(`{"metadata":{"name":"test-config-map-new","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
objectByteArray = []byte(`{"metadata":{"name":"","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))
objectByteArray = []byte(`{"metadata":{"name":"","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))
}
func TestIsRuleResourceFitsRequest_MatchExpressions(t *testing.T) {
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
resource := types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: nil,
MatchExpressions: []metav1.LabelSelectorRequirement{
metav1.LabelSelectorRequirement{
Key: "label2",
Operator: "NotIn",
Values: []string{
"sometest1",
},
},
metav1.LabelSelectorRequirement{
Key: "label1",
Operator: "In",
Values: []string{
"test1",
"test8",
"test201",
},
},
metav1.LabelSelectorRequirement{
Key: "label3",
Operator: "DoesNotExist",
Values: nil,
},
},
},
}
resource := types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: nil,
MatchExpressions: []metav1.LabelSelectorRequirement{
metav1.LabelSelectorRequirement{
Key: "label2",
Operator: "NotIn",
Values: []string{
"sometest1",
},
},
metav1.LabelSelectorRequirement{
Key: "label1",
Operator: "In",
Values: []string{
"test1",
"test8",
"test201",
},
},
metav1.LabelSelectorRequirement{
Key: "label3",
Operator: "DoesNotExist",
Values: nil,
},
},
},
}
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
}
func TestIsRuleResourceFitsRequest_MatchLabels(t *testing.T) {
resource := types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label1": "test1",
"label2": "test2",
},
MatchExpressions: nil,
},
}
resource := types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label1": "test1",
"label2": "test2",
},
MatchExpressions: nil,
},
}
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
objectByteArray = []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label3":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))
objectByteArray = []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label3":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))
resource = types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label3": "test1",
"label2": "test2",
},
MatchExpressions: nil,
},
}
resource = types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label3": "test1",
"label2": "test2",
},
MatchExpressions: nil,
},
}
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
}
func TestIsRuleResourceFitsRequest_MatchLabelsAndMatchExpressions(t *testing.T) {
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
request := v1beta1.AdmissionRequest{
Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
}
resource := types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label1": "test1",
},
MatchExpressions: []metav1.LabelSelectorRequirement{
metav1.LabelSelectorRequirement{
Key: "label2",
Operator: "In",
Values: []string{
"test2",
},
},
},
},
}
resource := types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label1": "test1",
},
MatchExpressions: []metav1.LabelSelectorRequirement{
metav1.LabelSelectorRequirement{
Key: "label2",
Operator: "In",
Values: []string{
"test2",
},
},
},
},
}
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
resource = types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label1": "test1",
},
MatchExpressions: []metav1.LabelSelectorRequirement{
metav1.LabelSelectorRequirement{
Key: "label2",
Operator: "NotIn",
Values: []string{
"sometest1",
},
},
},
},
}
resource = types.PolicyResource{
Kind: "ConfigMap",
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"label1": "test1",
},
MatchExpressions: []metav1.LabelSelectorRequirement{
metav1.LabelSelectorRequirement{
Key: "label2",
Operator: "NotIn",
Values: []string{
"sometest1",
},
},
},
},
}
objectByteArray = []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
objectByteArray = []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
request.Object.Raw = objectByteArray
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
}