E2e test for global anchor validate policy (#2479)

* Added test-e2e-local in the Makefile Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added a proper Indentation Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added e2e test case for global-anchor validate policy Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added resources Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
2025-03-31 03:45:17 +00:00 · 2021-10-21 05:25:55 +05:30 · 2021-10-21 05:25:55 +05:30 · 7d65ebbd87
commit 7d65ebbd87
parent 65fd07eac6
2 changed files with 71 additions and 0 deletions
--- a/test/e2e/validate/config.go
+++ b/test/e2e/validate/config.go
@ -65,4 +65,26 @@ var ValidateTests = []struct {
 		ResourceRaw:       kyverno_2345_resource,
 		MustSucceed:       false,
 	},
+	{
+		// Case for https://github.com/kyverno/kyverno/issues/2390 issue
+		TestDescription:   "checks that policy contains global anchor fields",
+		PolicyName:        "check-image-pull-secret",
+		PolicyRaw:         kyverno_global_anchor_validate_policy,
+		ResourceName:      "pod-with-nginx-allowed-registory",
+		ResourceNamespace: "",
+		ResourceGVR:       podGVR,
+		ResourceRaw:       kyverno_global_anchor_validate_resource_1,
+		MustSucceed:       true,
+	},
+	{
+		// Case for https://github.com/kyverno/kyverno/issues/2390 issue
+		TestDescription:   "checks that policy contains global anchor fields",
+		PolicyName:        "check-image-pull-secret",
+		PolicyRaw:         kyverno_global_anchor_validate_policy,
+		ResourceName:      "pod-with-nginx-disallowed-registory",
+		ResourceNamespace: "",
+		ResourceGVR:       podGVR,
+		ResourceRaw:       kyverno_global_anchor_validate_resource_2,
+		MustSucceed:       false,
+	},
 }
--- a/test/e2e/validate/resources.go
+++ b/test/e2e/validate/resources.go
@ -631,3 +631,52 @@ spec:
        drop:
        - CAP_SOMETHING
 `)
+
+var kyverno_global_anchor_validate_policy = []byte(`
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sample
+spec:
+  validationFailureAction: enforce
+  rules:
+  - name: check-container-image
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            <(image): "nginx"
+          imagePullSecrets:
+          - name: my-registry-secret
+`)
+
+var kyverno_global_anchor_validate_resource_1 = []byte(`
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-nginx-allowed-registory
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+  imagePullSecrets:
+  - name: my-registry-secret
+`)
+
+var kyverno_global_anchor_validate_resource_2 = []byte(`
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-nginx-disallowed-registory
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+  imagePullSecrets:
+  - name: other-registory-secret
+`)