mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
chore: remove testrunner package (#6283)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
bfdde54291
commit
7337d099bd
4 changed files with 0 additions and 689 deletions
|
|
@ -1,484 +0,0 @@
|
|||
package testrunner
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"os"
|
||||
ospath "path"
|
||||
"path/filepath"
|
||||
"reflect"
|
||||
"runtime"
|
||||
"testing"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"gopkg.in/yaml.v3"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
k8sRuntime "k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
apiyaml "k8s.io/apimachinery/pkg/util/yaml"
|
||||
"k8s.io/client-go/kubernetes/scheme"
|
||||
)
|
||||
|
||||
type Scenario struct {
|
||||
TestCases []TestCase
|
||||
}
|
||||
|
||||
// TestCase defines input and output for a case
|
||||
type TestCase struct {
|
||||
Input Input `yaml:"input"`
|
||||
Expected Expected `yaml:"expected"`
|
||||
}
|
||||
|
||||
// Input defines input for a test scenario
|
||||
type Input struct {
|
||||
Policy string `yaml:"policy"`
|
||||
Resource string `yaml:"resource"`
|
||||
LoadResources []string `yaml:"loadresources,omitempty"`
|
||||
}
|
||||
|
||||
type Expected struct {
|
||||
Mutation Mutation `yaml:"mutation,omitempty"`
|
||||
Validation Validation `yaml:"validation,omitempty"`
|
||||
Generation Generation `yaml:"generation,omitempty"`
|
||||
}
|
||||
|
||||
type Mutation struct {
|
||||
// path to the patched resource to be compared with
|
||||
PatchedResource string `yaml:"patchedresource,omitempty"`
|
||||
// expected response from the policy engine
|
||||
PolicyResponse engineapi.PolicyResponse `yaml:"policyresponse"`
|
||||
}
|
||||
|
||||
type Validation struct {
|
||||
// expected response from the policy engine
|
||||
PolicyResponse engineapi.PolicyResponse `yaml:"policyresponse"`
|
||||
}
|
||||
|
||||
type Generation struct {
|
||||
// generated resources
|
||||
GeneratedResources []kyvernov1.ResourceSpec `yaml:"generatedResources"`
|
||||
// expected response from the policy engine
|
||||
PolicyResponse engineapi.PolicyResponse `yaml:"policyresponse"`
|
||||
}
|
||||
|
||||
// RootDir returns the kyverno project directory based on the location of the current file.
|
||||
// It assumes that the project directory is 2 levels up. This means if this function is moved
|
||||
// it may not work as expected.
|
||||
func RootDir() string {
|
||||
_, b, _, _ := runtime.Caller(0) //nolint:dogsled
|
||||
d := ospath.Join(ospath.Dir(b))
|
||||
d = filepath.Dir(d)
|
||||
return filepath.Dir(d)
|
||||
}
|
||||
|
||||
// getRelativePath expects a path relative to project and builds the complete path
|
||||
func getRelativePath(path string) string {
|
||||
root := RootDir()
|
||||
return ospath.Join(root, path)
|
||||
}
|
||||
|
||||
func loadScenario(t *testing.T, path string) (*Scenario, error) {
|
||||
t.Helper()
|
||||
fileBytes, err := loadFile(t, path)
|
||||
assert.Nil(t, err)
|
||||
|
||||
var testCases []TestCase
|
||||
// load test cases separated by '---'
|
||||
// each test case defines an input & expected result
|
||||
scenariosBytes := bytes.Split(fileBytes, []byte("---"))
|
||||
for _, testCaseBytes := range scenariosBytes {
|
||||
var tc TestCase
|
||||
if err := yaml.Unmarshal(testCaseBytes, &tc); err != nil {
|
||||
t.Errorf("failed to decode test case YAML: %v", err)
|
||||
continue
|
||||
}
|
||||
|
||||
testCases = append(testCases, tc)
|
||||
}
|
||||
|
||||
scenario := Scenario{
|
||||
TestCases: testCases,
|
||||
}
|
||||
|
||||
return &scenario, nil
|
||||
}
|
||||
|
||||
// loadFile loads file in byte buffer
|
||||
func loadFile(t *testing.T, path string) ([]byte, error) {
|
||||
t.Helper()
|
||||
path = getRelativePath(path)
|
||||
t.Logf("reading file %s", path)
|
||||
if _, err := os.Stat(path); os.IsNotExist(err) {
|
||||
return nil, err
|
||||
}
|
||||
path = filepath.Clean(path)
|
||||
// We accept the risk of including a user provided file here.
|
||||
return os.ReadFile(path) // #nosec G304
|
||||
}
|
||||
|
||||
func runScenario(t *testing.T, s *Scenario) bool {
|
||||
t.Helper()
|
||||
for _, tc := range s.TestCases {
|
||||
runTestCase(t, tc)
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func runTestCase(t *testing.T, tc TestCase) bool {
|
||||
t.Helper()
|
||||
policy := loadPolicy(t, tc.Input.Policy)
|
||||
if policy == nil {
|
||||
t.Error("Policy not loaded")
|
||||
t.FailNow()
|
||||
}
|
||||
|
||||
resource := loadPolicyResource(t, tc.Input.Resource)
|
||||
if resource == nil {
|
||||
t.Error("Resources not loaded")
|
||||
t.FailNow()
|
||||
}
|
||||
|
||||
policyContext := engine.NewPolicyContext().WithPolicy(policy).WithNewResource(*resource)
|
||||
eng := engine.NewEngine(
|
||||
config.NewDefaultConfiguration(),
|
||||
nil,
|
||||
registryclient.NewOrDie(),
|
||||
engineapi.DefaultContextLoaderFactory(nil),
|
||||
nil,
|
||||
)
|
||||
er := eng.Mutate(
|
||||
context.TODO(),
|
||||
policyContext,
|
||||
)
|
||||
t.Log("---Mutation---")
|
||||
validateResource(t, er.PatchedResource, tc.Expected.Mutation.PatchedResource)
|
||||
validateResponse(t, er.PolicyResponse, tc.Expected.Mutation.PolicyResponse)
|
||||
|
||||
// pass the patched resource from mutate to validate
|
||||
if len(er.PolicyResponse.Rules) > 0 {
|
||||
resource = &er.PatchedResource
|
||||
}
|
||||
|
||||
policyContext = policyContext.WithNewResource(*resource)
|
||||
|
||||
er = eng.Validate(
|
||||
context.TODO(),
|
||||
policyContext,
|
||||
)
|
||||
t.Log("---Validation---")
|
||||
validateResponse(t, er.PolicyResponse, tc.Expected.Validation.PolicyResponse)
|
||||
|
||||
// Generation
|
||||
if resource.GetKind() == "Namespace" {
|
||||
// generate mock client if resources are to be loaded
|
||||
// - create mock client
|
||||
// - load resources
|
||||
client := getClient(t, tc.Input.LoadResources)
|
||||
t.Logf("creating NS %s", resource.GetName())
|
||||
if err := createNamespace(client, resource); err != nil {
|
||||
t.Error(err)
|
||||
} else {
|
||||
er = eng.ApplyBackgroundChecks(context.TODO(), policyContext)
|
||||
t.Log(("---Generation---"))
|
||||
validateResponse(t, er.PolicyResponse, tc.Expected.Generation.PolicyResponse)
|
||||
// Expected generate resource will be in same namespaces as resource
|
||||
validateGeneratedResources(t, client, *policy, resource.GetName(), tc.Expected.Generation.GeneratedResources)
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func createNamespace(client dclient.Interface, ns *unstructured.Unstructured) error {
|
||||
_, err := client.CreateResource(context.TODO(), "", "Namespace", "", ns, false)
|
||||
return err
|
||||
}
|
||||
|
||||
func validateGeneratedResources(t *testing.T, client dclient.Interface, policy kyvernov1.ClusterPolicy, namespace string, expected []kyvernov1.ResourceSpec) {
|
||||
t.Helper()
|
||||
t.Log("--validate if resources are generated---")
|
||||
// list of expected generated resources
|
||||
for _, resource := range expected {
|
||||
if _, err := client.GetResource(context.TODO(), "", resource.Kind, namespace, resource.Name); err != nil {
|
||||
t.Errorf("generated resource %s/%s/%s not found. %v", resource.Kind, namespace, resource.Name, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func validateResource(t *testing.T, responseResource unstructured.Unstructured, expectedResourceFile string) {
|
||||
t.Helper()
|
||||
resourcePrint := func(obj unstructured.Unstructured, msg string) {
|
||||
t.Logf("-----%s----", msg)
|
||||
if data, err := obj.MarshalJSON(); err == nil {
|
||||
t.Log(string(data))
|
||||
}
|
||||
}
|
||||
if expectedResourceFile == "" {
|
||||
t.Log("expected resource file not specified, wont compare resources")
|
||||
return
|
||||
}
|
||||
// load expected resource
|
||||
expectedResource := loadPolicyResource(t, expectedResourceFile)
|
||||
if expectedResource == nil {
|
||||
t.Logf("failed to get the expected resource: %s", expectedResourceFile)
|
||||
return
|
||||
}
|
||||
|
||||
// compare the resources
|
||||
if !reflect.DeepEqual(responseResource, *expectedResource) {
|
||||
t.Error("failed: response resource returned does not match expected resource")
|
||||
resourcePrint(responseResource, "response resource")
|
||||
resourcePrint(*expectedResource, "expected resource")
|
||||
return
|
||||
}
|
||||
t.Log("success: response resource returned matches expected resource")
|
||||
}
|
||||
|
||||
func validateResponse(t *testing.T, er engineapi.PolicyResponse, expected engineapi.PolicyResponse) {
|
||||
t.Helper()
|
||||
if reflect.DeepEqual(expected, engineapi.PolicyResponse{}) {
|
||||
t.Log("no response expected")
|
||||
return
|
||||
}
|
||||
// can't do deepEquals and the stats will be different, so we remove those fields and then do a comparison
|
||||
// forcing only the fields that are specified to be compared
|
||||
// doing a field by fields comparison will allow us to provide more details logs and granular error reporting
|
||||
// compare policy spec
|
||||
comparePolicySpec(t, er.Policy, expected.Policy)
|
||||
// compare resource spec
|
||||
compareResourceSpec(t, er.Resource, expected.Resource)
|
||||
|
||||
// rules
|
||||
if len(er.Rules) != len(expected.Rules) {
|
||||
t.Errorf("rule count error, er.Rules=%v, expected.Rules=%v", er.Rules, expected.Rules)
|
||||
return
|
||||
}
|
||||
if len(er.Rules) == len(expected.Rules) {
|
||||
// if there are rules being applied then we compare the rule response
|
||||
// as the rules are applied in the order defined, the comparison of rules will be in order
|
||||
for index, r := range expected.Rules {
|
||||
compareRules(t, er.Rules[index], r)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func comparePolicySpec(t *testing.T, policy engineapi.PolicySpec, expectedPolicy engineapi.PolicySpec) {
|
||||
t.Helper()
|
||||
// namespace
|
||||
if policy.Namespace != expectedPolicy.Namespace {
|
||||
t.Errorf("namespace: expected %s, received %s", expectedPolicy.Namespace, policy.Namespace)
|
||||
}
|
||||
// name
|
||||
if policy.Name != expectedPolicy.Name {
|
||||
t.Errorf("name: expected %s, received %s", expectedPolicy.Name, policy.Name)
|
||||
}
|
||||
}
|
||||
|
||||
func compareResourceSpec(t *testing.T, resource engineapi.ResourceSpec, expectedResource engineapi.ResourceSpec) {
|
||||
t.Helper()
|
||||
// kind
|
||||
if resource.Kind != expectedResource.Kind {
|
||||
t.Errorf("kind: expected %s, received %s", expectedResource.Kind, resource.Kind)
|
||||
}
|
||||
// //TODO apiVersion
|
||||
// if resource.APIVersion != expectedResource.APIVersion {
|
||||
// t.Error("error: apiVersion")
|
||||
// }
|
||||
|
||||
// namespace
|
||||
if resource.Namespace != expectedResource.Namespace {
|
||||
t.Errorf("namespace: expected %s, received %s", expectedResource.Namespace, resource.Namespace)
|
||||
}
|
||||
// name
|
||||
if resource.Name != expectedResource.Name {
|
||||
t.Errorf("name: expected %s, received %s", expectedResource.Name, resource.Name)
|
||||
}
|
||||
}
|
||||
|
||||
func compareRules(t *testing.T, rule engineapi.RuleResponse, expectedRule engineapi.RuleResponse) {
|
||||
t.Helper()
|
||||
// name
|
||||
if rule.Name != expectedRule.Name {
|
||||
t.Errorf("rule name: expected %s, received %+v", expectedRule.Name, rule.Name)
|
||||
// as the rule names dont match no need to compare the rest of the information
|
||||
}
|
||||
// type
|
||||
if rule.Type != expectedRule.Type {
|
||||
t.Errorf("rule type: expected %s, received %s", expectedRule.Type, rule.Type)
|
||||
}
|
||||
// message
|
||||
// compare messages if expected rule message is not empty
|
||||
if expectedRule.Message != "" && rule.Message != expectedRule.Message {
|
||||
t.Errorf("rule message: expected %s, received %s", expectedRule.Message, rule.Message)
|
||||
}
|
||||
// //TODO patches
|
||||
// if reflect.DeepEqual(rule.Patches, expectedRule.Patches) {
|
||||
// t.Log("error: patches")
|
||||
// }
|
||||
|
||||
// success
|
||||
if rule.Status != expectedRule.Status {
|
||||
t.Errorf("rule status mismatch: expected %s, received %s", expectedRule.Status, rule.Status)
|
||||
}
|
||||
}
|
||||
|
||||
func loadPolicyResource(t *testing.T, file string) *unstructured.Unstructured {
|
||||
t.Helper()
|
||||
// expect only one resource to be specified in the YAML
|
||||
resources := loadResource(t, file)
|
||||
if resources == nil {
|
||||
t.Log("no resource specified")
|
||||
return nil
|
||||
}
|
||||
if len(resources) > 1 {
|
||||
t.Logf("more than one resource specified in the file %s", file)
|
||||
t.Log("considering the first one for policy application")
|
||||
}
|
||||
|
||||
for _, r := range resources {
|
||||
metadata := r.UnstructuredContent()["metadata"].(map[string]interface{})
|
||||
delete(metadata, "creationTimestamp")
|
||||
}
|
||||
|
||||
return resources[0]
|
||||
}
|
||||
|
||||
func getClient(t *testing.T, files []string) dclient.Interface {
|
||||
t.Helper()
|
||||
var objects []k8sRuntime.Object
|
||||
for _, file := range files {
|
||||
objects = loadObjects(t, file)
|
||||
}
|
||||
// create mock client
|
||||
scheme := k8sRuntime.NewScheme()
|
||||
// mock client expects the resource to be as runtime.Object
|
||||
c, err := dclient.NewFakeClient(scheme, nil, objects...)
|
||||
if err != nil {
|
||||
t.Errorf("failed to create client. %v", err)
|
||||
return nil
|
||||
}
|
||||
// get GVR from GVK
|
||||
gvrs := getGVRForResources(objects)
|
||||
c.SetDiscovery(dclient.NewFakeDiscoveryClient(gvrs))
|
||||
t.Log("created mock client with pre-loaded resources")
|
||||
return c
|
||||
}
|
||||
|
||||
func getGVRForResources(objects []k8sRuntime.Object) []schema.GroupVersionResource {
|
||||
var gvrs []schema.GroupVersionResource
|
||||
for _, obj := range objects {
|
||||
gvk := obj.GetObjectKind().GroupVersionKind()
|
||||
gv := gvk.GroupVersion()
|
||||
// maintain a static map for kind -> Resource
|
||||
gvr := gv.WithResource(getResourceFromKind(gvk.Kind))
|
||||
gvrs = append(gvrs, gvr)
|
||||
}
|
||||
return gvrs
|
||||
}
|
||||
|
||||
func loadResource(t *testing.T, path string) []*unstructured.Unstructured {
|
||||
t.Helper()
|
||||
var unstrResources []*unstructured.Unstructured
|
||||
t.Logf("loading resource from %s", path)
|
||||
data, err := loadFile(t, path)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
rBytes := bytes.Split(data, []byte("---"))
|
||||
for _, r := range rBytes {
|
||||
decode := scheme.Codecs.UniversalDeserializer().Decode
|
||||
obj, _, err := decode(r, nil, nil)
|
||||
if err != nil {
|
||||
t.Logf("failed to decode resource: %v", err)
|
||||
continue
|
||||
}
|
||||
|
||||
data, err := k8sRuntime.DefaultUnstructuredConverter.ToUnstructured(&obj)
|
||||
if err != nil {
|
||||
t.Logf("failed to unmarshall resource. %v", err)
|
||||
continue
|
||||
}
|
||||
unstr := unstructured.Unstructured{Object: data}
|
||||
t.Logf("loaded resource %s/%s/%s", unstr.GetKind(), unstr.GetNamespace(), unstr.GetName())
|
||||
unstrResources = append(unstrResources, &unstr)
|
||||
}
|
||||
return unstrResources
|
||||
}
|
||||
|
||||
func loadObjects(t *testing.T, path string) []k8sRuntime.Object {
|
||||
t.Helper()
|
||||
var resources []k8sRuntime.Object
|
||||
t.Logf("loading objects from %s", path)
|
||||
data, err := loadFile(t, path)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
rBytes := bytes.Split(data, []byte("---"))
|
||||
for _, r := range rBytes {
|
||||
decode := scheme.Codecs.UniversalDeserializer().Decode
|
||||
obj, gvk, err := decode(r, nil, nil)
|
||||
if err != nil {
|
||||
t.Logf("failed to decode resource: %v", err)
|
||||
continue
|
||||
}
|
||||
t.Log(gvk)
|
||||
t.Logf("loaded object %s", gvk.Kind)
|
||||
resources = append(resources, obj)
|
||||
}
|
||||
return resources
|
||||
}
|
||||
|
||||
func loadPolicy(t *testing.T, path string) *kyvernov1.ClusterPolicy {
|
||||
t.Helper()
|
||||
t.Logf("loading policy from %s", path)
|
||||
data, err := loadFile(t, path)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
var policies []*kyvernov1.ClusterPolicy
|
||||
pBytes := bytes.Split(data, []byte("---"))
|
||||
for _, p := range pBytes {
|
||||
policy := kyvernov1.ClusterPolicy{}
|
||||
pBytes, err := apiyaml.ToJSON(p)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
continue
|
||||
}
|
||||
|
||||
if err := json.Unmarshal(pBytes, &policy); err != nil {
|
||||
t.Logf("failed to marshall polic. %v", err)
|
||||
continue
|
||||
}
|
||||
t.Logf("loaded policy %s", policy.Name)
|
||||
policies = append(policies, &policy)
|
||||
}
|
||||
|
||||
if len(policies) == 0 {
|
||||
t.Log("no policies loaded")
|
||||
return nil
|
||||
}
|
||||
if len(policies) > 1 {
|
||||
t.Log("more than one policy defined, considering first for processing")
|
||||
}
|
||||
return policies[0]
|
||||
}
|
||||
|
||||
func testScenario(t *testing.T, path string) {
|
||||
t.Helper()
|
||||
// flag.Set("logtostderr", "true")
|
||||
// flag.Set("v", "8")
|
||||
|
||||
scenario, err := loadScenario(t, path)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
return
|
||||
}
|
||||
|
||||
runScenario(t, scenario)
|
||||
}
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
package testrunner
|
||||
|
||||
import (
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"gopkg.in/yaml.v3"
|
||||
"gotest.tools/assert"
|
||||
)
|
||||
|
||||
var sourceYAML = `
|
||||
input:
|
||||
policy: test/best_practices/disallow_bind_mounts.yaml
|
||||
resource: test/resources/disallow_host_filesystem.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
policy:
|
||||
namespace: ''
|
||||
name: disallow-bind-mounts
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: image-with-hostpath
|
||||
rules:
|
||||
- name: validate-hostPath
|
||||
type: Validation
|
||||
status: fail
|
||||
`
|
||||
|
||||
func Test_parse_yaml(t *testing.T) {
|
||||
var s TestCase
|
||||
if err := yaml.Unmarshal([]byte(sourceYAML), &s); err != nil {
|
||||
t.Errorf("failed to parse YAML: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
assert.Equal(t, s.Expected.Validation.PolicyResponse.Policy.Name, "disallow-bind-mounts")
|
||||
assert.Equal(t, 1, len(s.Expected.Validation.PolicyResponse.Rules), "invalid rule count")
|
||||
assert.Equal(t, engineapi.RuleStatusFail, s.Expected.Validation.PolicyResponse.Rules[0].Status, "invalid status")
|
||||
}
|
||||
|
||||
func Test_parse_file(t *testing.T) {
|
||||
s, err := loadScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml")
|
||||
assert.NilError(t, err)
|
||||
|
||||
assert.Equal(t, 1, len(s.TestCases))
|
||||
assert.Equal(t, s.TestCases[0].Expected.Validation.PolicyResponse.Policy.Name, "disallow-bind-mounts")
|
||||
assert.Equal(t, 1, len(s.TestCases[0].Expected.Validation.PolicyResponse.Rules), "invalid rule count")
|
||||
assert.Equal(t, engineapi.RuleStatusFail, s.TestCases[0].Expected.Validation.PolicyResponse.Rules[0].Status, "invalid status")
|
||||
}
|
||||
|
||||
func Test_parse_file2(t *testing.T) {
|
||||
path := getRelativePath("test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml")
|
||||
data, err := os.ReadFile(path)
|
||||
assert.NilError(t, err)
|
||||
|
||||
strData := string(data)
|
||||
var s TestCase
|
||||
if err := yaml.Unmarshal([]byte(strData), &s); err != nil {
|
||||
t.Errorf("failed to parse YAML: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
assert.Equal(t, s.Expected.Validation.PolicyResponse.Policy.Name, "disallow-bind-mounts")
|
||||
assert.Equal(t, 1, len(s.Expected.Validation.PolicyResponse.Rules), "invalid rule count")
|
||||
assert.Equal(t, engineapi.RuleStatusFail, s.Expected.Validation.PolicyResponse.Rules[0].Status, "invalid status")
|
||||
}
|
||||
|
|
@ -1,88 +0,0 @@
|
|||
package testrunner
|
||||
|
||||
import "testing"
|
||||
|
||||
func Test_Mutate_EndPoint(t *testing.T) {
|
||||
testScenario(t, "/test/scenarios/other/scenario_mutate_endpoint.yaml")
|
||||
}
|
||||
|
||||
func Test_Mutate_Validate_qos(t *testing.T) {
|
||||
testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml")
|
||||
}
|
||||
|
||||
func Test_disallow_privileged(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/disallow_priviledged.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_healthChecks(t *testing.T) {
|
||||
testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_host_network_port(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/disallow_host_network_port.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_host_PID_IPC(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml")
|
||||
}
|
||||
|
||||
//TODO: support generate
|
||||
// func Test_add_ns_quota(t *testing.T) {
|
||||
// testScenario(t, "test/scenarios/samples/best_practices/add_ns_quota.yaml")
|
||||
// }
|
||||
|
||||
func Test_validate_disallow_default_serviceaccount(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_selinux_context(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/other/scenario_validate_selinux_context.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_proc_mount(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/other/scenario_validate_default_proc_mount.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_volume_whitelist(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/other/scenario_validate_volume_whiltelist.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_disallow_bind_mounts_fail(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_disallow_bind_mounts_pass(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml")
|
||||
}
|
||||
|
||||
func Test_disallow_sysctls(t *testing.T) {
|
||||
testScenario(t, "/test/scenarios/samples/best_practices/disallow_sysctls.yaml")
|
||||
}
|
||||
|
||||
func Test_add_safe_to_evict(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict.yaml")
|
||||
}
|
||||
|
||||
func Test_add_safe_to_evict_annotation2(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict2.yaml")
|
||||
}
|
||||
|
||||
func Test_add_safe_to_evict_annotation3(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict3.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_restrict_automount_sa_token_pass(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/more/restrict_automount_sa_token.yaml")
|
||||
}
|
||||
|
||||
func Test_known_ingress(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/more/restrict_ingress_classes.yaml")
|
||||
}
|
||||
|
||||
func Test_unknown_ingress(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/more/unknown_ingress_class.yaml")
|
||||
}
|
||||
|
||||
func Test_mutate_pod_spec(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/other/scenario_mutate_pod_spec.yaml")
|
||||
}
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
package testrunner
|
||||
|
||||
import (
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
// LoadFile loads file in byte buffer
|
||||
func LoadFile(path string) ([]byte, error) {
|
||||
if _, err := os.Stat(path); os.IsNotExist(err) {
|
||||
return nil, err
|
||||
}
|
||||
path = filepath.Clean(path)
|
||||
// We accept the risk of including a user provided file here.
|
||||
return os.ReadFile(path) // #nosec G304
|
||||
}
|
||||
|
||||
var kindToResource = map[string]string{
|
||||
"ConfigMap": "configmaps",
|
||||
"Endpoints": "endpoints",
|
||||
"Namespace": "namespaces",
|
||||
"Secret": "secrets",
|
||||
"Service": "services",
|
||||
"Deployment": "deployments",
|
||||
"NetworkPolicy": "networkpolicies",
|
||||
}
|
||||
|
||||
func getResourceFromKind(kind string) string {
|
||||
if resource, ok := kindToResource[kind]; ok {
|
||||
return resource
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// ConvertToUnstructured converts a resource to unstructured format
|
||||
func ConvertToUnstructured(data []byte) (*unstructured.Unstructured, error) {
|
||||
resource := &unstructured.Unstructured{}
|
||||
err := resource.UnmarshalJSON(data)
|
||||
if err != nil {
|
||||
logging.Error(err, "failed to unmarshal resource")
|
||||
return nil, err
|
||||
}
|
||||
return resource, nil
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue