Add kuttl test for ephemeral containers (#6966)

* Move Sam to Emeritus status

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add kuttl test for ephemeral containers

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

---------

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

test/conformance/kuttl/validate/clusterpolicy/cornercases/ephemeral-containers/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/validate/clusterpolicy/cornercases/ephemeral-containers/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- resource.yaml
+assert:
+- resource-assert.yaml

test/conformance/kuttl/validate/clusterpolicy/cornercases/ephemeral-containers/03-debug.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl debug --image=bar.io/busybox:1.35 -c debugger mypod -n default

test/conformance/kuttl/validate/clusterpolicy/cornercases/ephemeral-containers/04-debugassert.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mypod
+  namespace: default
+spec:
+  containers:
+  - image: bar.io/busybox:1.35
+    name: busybox
+  ephemeralContainers:
+  - image: bar.io/busybox:1.35
+    name: debugger

test/conformance/kuttl/validate/clusterpolicy/cornercases/ephemeral-containers/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test ensures that Kyverno is able to perform basic validation functions against ephemeral containers.
+
+## Expected Behavior
+
+The initial Pod should be successfully created. An ephemeral container, added via the `kubectl debug` imperative command, should be allowed because it does not violate the policy. If the ephemeral container is added, the test passes. If the debug is blocked, the test fails.
+
+## Reference Issue(s)
+
+6943

test/conformance/kuttl/validate/clusterpolicy/cornercases/ephemeral-containers/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-image-registries
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-image-registries
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: validate-registries
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "Unknown image registry."
+      pattern:
+        spec:
+          =(ephemeralContainers):
+          - image: "eu.foo.io/* | bar.io/*"
+          =(initContainers):
+          - image: "eu.foo.io/* | bar.io/*"
+          containers:
+          - image: "eu.foo.io/* | bar.io/*"

test/conformance/kuttl/validate/clusterpolicy/cornercases/ephemeral-containers/resource-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mypod
+  namespace: default

test/conformance/kuttl/validate/clusterpolicy/cornercases/ephemeral-containers/resource.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: busybox
+  name: mypod
+  namespace: default
+spec:
+  automountServiceAccountToken: false
+  containers:
+  - name: busybox
+    image: bar.io/busybox:1.35