mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
fix: Kyverno test ignores variables.yaml file unless context is present (#8339)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
479511c9b8
commit
86f7f40eff
4 changed files with 71 additions and 0 deletions
|
|
@ -0,0 +1,33 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: deny-modify-platform-label
|
||||
annotations:
|
||||
policies.kyverno.io/title: Deny Modification of platform owned roles
|
||||
policies.kyverno.io/category: Hardening
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Role
|
||||
policies.kyverno.io/description: >-
|
||||
Restrict modification of platform owned roles to admins only
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
background: false
|
||||
rules:
|
||||
- name: deny-modify-platform-role
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Role
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation }}"
|
||||
operator: AnyIn
|
||||
value: ["UPDATE", "DELETE"]
|
||||
- key: "{{ request.userInfo.groups }}"
|
||||
operator: AllNotIn
|
||||
value: ["system:masters"]
|
||||
validate:
|
||||
message: >-
|
||||
Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users.
|
||||
deny: {}
|
||||
12
test/cli/test/deny-modify-platform-label/kyverno-test.yaml
Normal file
12
test/cli/test/deny-modify-platform-label/kyverno-test.yaml
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
name: modify_with_master_access
|
||||
policies:
|
||||
- deny-modify-platform-label.yaml
|
||||
resources:
|
||||
- resource.yaml
|
||||
variables: variables.yaml
|
||||
results:
|
||||
- policy: deny-modify-platform-label
|
||||
rule: deny-modify-platform-role
|
||||
resource: my-role-with-platform
|
||||
kind: Role
|
||||
result: skip
|
||||
14
test/cli/test/deny-modify-platform-label/resource.yaml
Normal file
14
test/cli/test/deny-modify-platform-label/resource.yaml
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: my-role-with-platform
|
||||
labels:
|
||||
"hpedevops.net/platform": "true"
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
verbs:
|
||||
- watch
|
||||
12
test/cli/test/deny-modify-platform-label/variables.yaml
Normal file
12
test/cli/test/deny-modify-platform-label/variables.yaml
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
# This file sets the values that will be null unless otherwise set explicitly.
|
||||
# We are effectively mocking these values because there is no real API call.
|
||||
policies:
|
||||
- name: deny-modify-platform-label
|
||||
rules:
|
||||
- name: deny-modify-platform-role
|
||||
values:
|
||||
request:
|
||||
operation: "UPDATE"
|
||||
userInfo:
|
||||
groups:
|
||||
- "system:masters"
|
||||
Loading…
Add table
Reference in a new issue