fix test cli CI failures from main (#3682)

pkg/engine/validation.go

@@ -207,8 +207,7 @@ func (v *validator) validate() *response.RuleResponse {
 	if err != nil {
 		return ruleError(v.rule, response.Validation, "failed to evaluate preconditions", err)
 	}
-
-	if !preconditionsPassed && v.ctx.Policy.GetSpec().ValidationFailureAction != kyverno.Audit {
+	if !preconditionsPassed && (v.ctx.Policy.GetSpec().ValidationFailureAction != kyverno.Audit || store.GetMock()) {
 		return ruleResponse(*v.rule, response.Validation, "preconditions not met", response.RuleStatusSkip, nil)
 	}
 
@@ -249,7 +248,7 @@ func (v *validator) validateForEach() *response.RuleResponse {
 	preconditionsPassed, err := checkPreconditions(v.log, v.ctx, v.anyAllConditions)
 	if err != nil {
 		return ruleError(v.rule, response.Validation, "failed to evaluate preconditions", err)
-	} else if !preconditionsPassed && v.ctx.Policy.GetSpec().ValidationFailureAction != kyverno.Audit {
+	} else if !preconditionsPassed && (v.ctx.Policy.GetSpec().ValidationFailureAction != kyverno.Audit || store.GetMock()) {
 		return ruleResponse(*v.rule, response.Validation, "preconditions not met", response.RuleStatusSkip, nil)
 	}
 

test/cli/test/limit-configmap-for-sa/kyverno-test.yaml

@@ -0,0 +1,17 @@
+name: limit-configmap-for-sa
+policies:
+  - limit_configmap_for_sa.yaml
+resources:
+  - resource.yaml
+variables: variables.yaml
+results:
+  - policy: limit-configmap-for-sa
+    rule: limit-configmap-for-sa-developer
+    resource: any-configmap-name-good
+    kind: ConfigMap
+    result: fail
+  - policy: limit-configmap-for-sa
+    rule: limit-configmap-for-sa-developer
+    resource: any-configmap-name-bad
+    kind: ConfigMap
+    result: skip

test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml

@@ -0,0 +1,51 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: limit-configmap-for-sa
+  annotations:
+    policies.kyverno.io/title: Limit ConfigMap to ServiceAccounts for a User
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.6.0
+    kyverno.io/kubernetes-version: "1.20-1.23"
+    policies.kyverno.io/subject: ConfigMap, ServiceAccount
+    policies.kyverno.io/description: This policy shows how to restrict certain operations on specific ConfigMaps by ServiceAccounts.
+spec:
+  background: false
+  validationFailureAction: enforce
+  rules:
+  - name: limit-configmap-for-sa-developer
+    match:
+      any:
+      - resources:
+          kinds:
+          - "ConfigMap"
+      - resources:
+          kinds:
+          - "ConfigMap"
+        subjects:
+        - kind: ServiceAccount
+          name: another-developer
+          namespace: another-namespace
+    preconditions:
+      all:
+      - key: "{{request.object.metadata.namespace}}"
+        operator: In
+        value:
+        - "any-namespace"
+        - "another-namespace"
+      - key: "{{request.object.metadata.name}}"
+        operator: In
+        value:
+        - "any-configmap-name-good"
+        - "another-configmap-name"
+    validate:
+      message: "{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource"
+      deny:
+        conditions:
+          all:
+          - key: "{{request.operation}}"
+            operator: "In"
+            value:
+            - "UPDATE"
+            - "CREATE"

test/cli/test/limit-configmap-for-sa/resource.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: any-configmap-name-good
+  namespace: any-namespace
+data:
+  key: value
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: any-configmap-name-bad
+  namespace: any-namespace
+data:
+  key: value

test/cli/test/limit-configmap-for-sa/variables.yaml

@@ -0,0 +1,9 @@
+policies:
+  - name: limit-configmap-for-sa
+    resources:
+      - name: any-configmap-name-good
+        values:
+          request.operation: UPDATE
+      - name: any-configmap-name-bad
+        values:
+          request.operation: UPDATE

test/cli/test/restrict_ingress_host/kyverno-test.yaml

@@ -0,0 +1,27 @@
+name: unique-ingress-host
+policies:
+  - restrict_ingress_host.yaml
+resources:
+  - resource.yaml
+variables: values.yaml
+results:
+  - policy: unique-ingress-host
+    rule: check-single-host
+    resource: ingress-kyverno-host
+    kind: Ingress
+    result: fail
+  - policy: unique-ingress-host
+    rule: check-single-host
+    resource: ingress-foo-host
+    kind: Ingress
+    result: skip
+  - policy: unique-ingress-host
+    rule: deny-multiple-hosts
+    resource: ingress-kyverno-host
+    kind: Ingress
+    result: skip
+  - policy: unique-ingress-host
+    rule: deny-multiple-hosts
+    resource: ingress-foo-host
+    kind: Ingress
+    result: fail

test/cli/test/restrict_ingress_host/resource.yaml

@@ -0,0 +1,47 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-kyverno-host
+spec:
+  rules:
+  - host: www.kyverno.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/kyverno"
+        backend:
+          service:
+            name: service1
+            port:
+              number: 80
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-foo-host
+spec:
+  rules:
+  - host: www.foo.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/foo"
+        backend:
+          service:
+            name: service2
+            port:
+              number: 80
+  - host: "foo.bar.com"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/bar"
+        backend:
+          service:
+            name: service1
+            port:
+              number: 80
+
+
+

test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml

@@ -0,0 +1,56 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: unique-ingress-host
+  annotations:
+    policies.kyverno.io/title: Unique Ingress Host
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/minversion: 1.3.2
+    policies.kyverno.io/description: >-
+      An Ingress host is a URL at which services may be made available externally. In most cases,
+      these hosts should be unique across the cluster to ensure no routing conflicts occur.
+      This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.
+      It also ensures that only a single host may be specified in a given manifest.
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+    - name: check-single-host
+      match:
+        resources:
+          kinds:
+            - Ingress
+      context:
+        - name: hosts
+          apiCall:
+            urlPath: "/apis/networking.k8s.io/v1/ingresses"
+            jmesPath: "items[].spec.rules[].host"
+      preconditions:
+        all:
+        - key: "{{ request.operation }}"
+          operator: Equals
+          value: CREATE
+        - key: "{{ request.object.spec.rules[].host }}"
+          operator: In
+          value: "{{ hosts }}"
+      validate:
+        message: "The Ingress host name must be unique."
+        deny: {}
+    - name: deny-multiple-hosts
+      match:
+        resources:
+          kinds:
+            - Ingress
+      preconditions:
+        all:
+        - key: "{{ request.operation }}"
+          operator: Equals
+          value: CREATE
+        - key: "{{ request.object.spec.rules[].host | length(@)}}"
+          operator: GreaterThan
+          value: 1
+      validate:
+        message: "An Ingress resource may only contain a single host entry."
+        deny: {}

test/cli/test/restrict_ingress_host/values.yaml

@@ -0,0 +1,13 @@
+policies:
+- name: unique-ingress-host
+  rules:
+  - name: check-single-host
+    values:
+      hosts: "[\"www.github.com\", \"www.kyverno.com\", \"www.nirmata.com\"]"
+  resources:
+  - name: ingress-kyverno-host
+    values:
+      request.operation: CREATE
+  - name: ingress-foo-host
+    values:
+      request.operation: CREATE