diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index 8c688f3635..0336da9a79 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -853,6 +853,17 @@ func (c *controller) getLease() (*coordinationv1.Lease, error) { return c.leaseLister.Leases(config.KyvernoNamespace()).Get("kyverno-health") } +// GroupVersionResourceScope adds the resource scope to the GVR +type GroupVersionResourceScope struct { + schema.GroupVersionResource + Scope admissionregistrationv1.ScopeType +} + +// String puts / between group/version/resource and scope +func (gvs GroupVersionResourceScope) String() string { + return gvs.GroupVersion().String() + "/" + gvs.Resource + "/" + string(gvs.Scope) +} + // mergeWebhook merges the matching kinds of the policy to webhook.rule func (c *controller) mergeWebhook(dst *webhook, policy kyvernov1.PolicyInterface, updateValidate bool) { var matchedGVK []string @@ -873,31 +884,43 @@ func (c *controller) mergeWebhook(dst *webhook, policy kyvernov1.PolicyInterface matchedGVK = append(matchedGVK, rule.MatchResources.GetKinds()...) } } - var gvrsList []schema.GroupVersionResource + var gvrsList []GroupVersionResourceScope for _, gvk := range matchedGVK { // NOTE: webhook stores GVR in its rules while policy stores GVK in its rules definition group, version, kind, subresource := kubeutils.ParseKindSelector(gvk) + + // if kind or group is `*` we use the scope of the policy + policyScope := admissionregistrationv1.AllScopes + if policy.IsNamespaced() { + policyScope = admissionregistrationv1.NamespacedScope + } + // if kind is `*` no need to lookup resources if kind == "*" && subresource == "*" { - gvrsList = append(gvrsList, schema.GroupVersionResource{Group: group, Version: version, Resource: "*/*"}) + gvrsList = append(gvrsList, GroupVersionResourceScope{GroupVersionResource: schema.GroupVersionResource{Group: group, Version: version, Resource: "*/*"}, Scope: policyScope}) } else if kind == "*" && subresource == "" { - gvrsList = append(gvrsList, schema.GroupVersionResource{Group: group, Version: version, Resource: "*"}) + gvrsList = append(gvrsList, GroupVersionResourceScope{GroupVersionResource: schema.GroupVersionResource{Group: group, Version: version, Resource: "*"}, Scope: policyScope}) } else if kind == "*" && subresource != "" { - gvrsList = append(gvrsList, schema.GroupVersionResource{Group: group, Version: version, Resource: "*/" + subresource}) + gvrsList = append(gvrsList, GroupVersionResourceScope{GroupVersionResource: schema.GroupVersionResource{Group: group, Version: version, Resource: "*/" + subresource}, Scope: policyScope}) } else { gvrss, err := c.discoveryClient.FindResources(group, version, kind, subresource) if err != nil { logger.Error(err, "unable to find resource", "group", group, "version", version, "kind", kind, "subresource", subresource) continue } - for gvrs := range gvrss { - gvrsList = append(gvrsList, gvrs.GroupVersion.WithResource(gvrs.ResourceSubresource())) + for gvrs, resource := range gvrss { + resourceScope := admissionregistrationv1.AllScopes + if resource.Namespaced { + resourceScope = admissionregistrationv1.NamespacedScope + } + gvrsList = append(gvrsList, GroupVersionResourceScope{GroupVersionResource: gvrs.GroupVersion.WithResource(gvrs.ResourceSubresource()), Scope: resourceScope}) } } } - for _, gvr := range gvrsList { - dst.set(gvr) + for _, gvrs := range gvrsList { + dst.set(gvrs) } + spec := policy.GetSpec() if spec.WebhookTimeoutSeconds != nil { if dst.maxWebhookTimeout < *spec.WebhookTimeoutSeconds { diff --git a/pkg/controllers/webhook/utils.go b/pkg/controllers/webhook/utils.go index b93ba3954e..2f71a717d8 100644 --- a/pkg/controllers/webhook/utils.go +++ b/pkg/controllers/webhook/utils.go @@ -12,26 +12,39 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/utils/ptr" ) // webhook is the instance that aggregates the GVK of existing policies -// based on kind, failurePolicy and webhookTimeout +// based on group, kind, scopeType, failurePolicy and webhookTimeout type webhook struct { maxWebhookTimeout int32 failurePolicy admissionregistrationv1.FailurePolicyType - rules map[schema.GroupVersion]sets.Set[string] + rules map[groupVersionScope]sets.Set[string] +} + +// groupVersionScope contains the GV and scopeType of a resource +type groupVersionScope struct { + schema.GroupVersion + scopeType admissionregistrationv1.ScopeType +} + +// String puts / between group/version and scope +func (gvs groupVersionScope) String() string { + return gvs.GroupVersion.String() + "/" + string(gvs.scopeType) } func newWebhook(timeout int32, failurePolicy admissionregistrationv1.FailurePolicyType) *webhook { return &webhook{ maxWebhookTimeout: timeout, failurePolicy: failurePolicy, - rules: map[schema.GroupVersion]sets.Set[string]{}, + rules: map[groupVersionScope]sets.Set[string]{}, } } func (wh *webhook) buildRulesWithOperations(ops ...admissionregistrationv1.OperationType) []admissionregistrationv1.RuleWithOperations { var rules []admissionregistrationv1.RuleWithOperations + for gv, resources := range wh.rules { // if we have pods, we add pods/ephemeralcontainers by default if (gv.Group == "" || gv.Group == "*") && (gv.Version == "v1" || gv.Version == "*") && (resources.Has("pods") || resources.Has("*")) { @@ -42,6 +55,7 @@ func (wh *webhook) buildRulesWithOperations(ops ...admissionregistrationv1.Opera APIGroups: []string{gv.Group}, APIVersions: []string{gv.Version}, Resources: sets.List(resources), + Scope: ptr.To(gv.scopeType), }, Operations: ops, }) @@ -67,16 +81,38 @@ func (wh *webhook) buildRulesWithOperations(ops ...admissionregistrationv1.Opera if x, match := less(a.Resources, b.Resources); match { return x } + if x := strings.Compare(string(*a.Scope), string(*b.Scope)); x != 0 { + return x + } return 0 }) return rules } -func (wh *webhook) set(gvrs schema.GroupVersionResource) { - gv := gvrs.GroupVersion() - resources := wh.rules[gv] +func (wh *webhook) set(gvrs GroupVersionResourceScope) { + gvs := groupVersionScope{ + GroupVersion: gvrs.GroupVersion(), + scopeType: gvrs.Scope, + } + + // check if the resource contains wildcard and is already added as all scope + // in that case, we do not need to add it again as namespaced scope + if (gvrs.Resource == "*" || gvrs.Group == "*") && gvs.scopeType == admissionregistrationv1.NamespacedScope { + allScopeResource := groupVersionScope{ + GroupVersion: gvs.GroupVersion, + scopeType: admissionregistrationv1.AllScopes, + } + resources := wh.rules[allScopeResource] + if resources != nil { + // explicitly do nothing as the resource is already added as all scope + return + } + } + + // check if the resource is already added + resources := wh.rules[gvs] if resources == nil { - wh.rules[gv] = sets.New(gvrs.Resource) + wh.rules[gvs] = sets.New(gvrs.Resource) } else { resources.Insert(gvrs.Resource) } diff --git a/pkg/controllers/webhook/utils_test.go b/pkg/controllers/webhook/utils_test.go index 571c1a69eb..dc0d8f5edb 100644 --- a/pkg/controllers/webhook/utils_test.go +++ b/pkg/controllers/webhook/utils_test.go @@ -15,8 +15,9 @@ func Test_webhook_isEmpty(t *testing.T) { empty := newWebhook(DefaultWebhookTimeout, admissionregistrationv1.Ignore) assert.Equal(t, empty.isEmpty(), true) notEmpty := newWebhook(DefaultWebhookTimeout, admissionregistrationv1.Ignore) - notEmpty.set(schema.GroupVersionResource{ - Group: "", Version: "v1", Resource: "pods", + notEmpty.set(GroupVersionResourceScope{ + GroupVersionResource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}, + Scope: admissionregistrationv1.NamespacedScope, }) assert.Equal(t, notEmpty.isEmpty(), false) } diff --git a/test/conformance/chainsaw/webhooks/clusterpolicy/README.md b/test/conformance/chainsaw/webhooks/clusterpolicy/README.md new file mode 100644 index 0000000000..cfcb16d75a --- /dev/null +++ b/test/conformance/chainsaw/webhooks/clusterpolicy/README.md @@ -0,0 +1,9 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a ClusterPolicy targets all `*` resources. + +## Steps + +1. - Create a ClusterPolicy targeting `*` + - Assert ClusterPolicy gets ready +1. - Assert that the resource validation webhook is configured correctly and the scope is set to "*" diff --git a/test/conformance/chainsaw/webhooks/clusterpolicy/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/clusterpolicy/chainsaw-test.yaml new file mode 100755 index 0000000000..1e9e999405 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/clusterpolicy/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: clusterpolicy +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/wildcard/policy-assert.yaml b/test/conformance/chainsaw/webhooks/clusterpolicy/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/webhooks/wildcard/policy-assert.yaml rename to test/conformance/chainsaw/webhooks/clusterpolicy/policy-assert.yaml diff --git a/test/conformance/chainsaw/webhooks/wildcard/policy.yaml b/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml similarity index 100% rename from test/conformance/chainsaw/webhooks/wildcard/policy.yaml rename to test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml diff --git a/test/conformance/chainsaw/webhooks/wildcard/webhooks.yaml b/test/conformance/chainsaw/webhooks/clusterpolicy/webhooks.yaml similarity index 100% rename from test/conformance/chainsaw/webhooks/wildcard/webhooks.yaml rename to test/conformance/chainsaw/webhooks/clusterpolicy/webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/only-pod/webhooks.yaml b/test/conformance/chainsaw/webhooks/only-pod/webhooks.yaml index 49a26e89be..239d24359c 100644 --- a/test/conformance/chainsaw/webhooks/only-pod/webhooks.yaml +++ b/test/conformance/chainsaw/webhooks/only-pod/webhooks.yaml @@ -18,4 +18,4 @@ webhooks: resources: - pods - pods/ephemeralcontainers - scope: '*' + scope: 'Namespaced' diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/webhooks.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/webhooks.yaml index 9766dc5d34..1a1b357447 100644 --- a/test/conformance/chainsaw/webhooks/pod-all-subresources/webhooks.yaml +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/webhooks.yaml @@ -25,4 +25,4 @@ webhooks: - pods/portforward - pods/proxy - pods/status - scope: '*' + scope: 'Namespaced' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/README.md b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/README.md new file mode 100644 index 0000000000..40853423cc --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/README.md @@ -0,0 +1,9 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a ClusterPolicy targets CustomResourceDefinition resources and a Policy targets `ConfigMap`. + +## Steps + +1. - Create a policy targeting `*` + - Assert policy gets ready +1. - Assert that the resource validation webhook is configured correctly two rules for `ConfigMap` and `CustomResourceDefinition` created diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/chainsaw-test.yaml new file mode 100755 index 0000000000..420a05e428 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-clusterpolicy-different-resource-group +spec: + steps: + - name: step-01 + try: + - apply: + file: policy-1.yaml + - assert: + file: policy-1-assert.yaml + - name: step-2 + try: + - apply: + file: policy-2.yaml + - assert: + file: policy-2-assert.yaml + - name: step-3 + try: + - assert: + file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1-assert.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1-assert.yaml new file mode 100644 index 0000000000..98aa12fc39 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: policy-1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml new file mode 100644 index 0000000000..9028c9511c --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: policy-1 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'CustomResourceDefinition' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2-assert.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2-assert.yaml new file mode 100644 index 0000000000..56e180daeb --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: policy-2 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml new file mode 100644 index 0000000000..bec3ea8a72 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: policy-2 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'ConfigMap' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/webhooks.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/webhooks.yaml new file mode 100644 index 0000000000..16efe5042c --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/webhooks.yaml @@ -0,0 +1,33 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - configmaps + scope: Namespaced + - apiGroups: + - apiextensions.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - customresourcedefinitions + scope: '*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/README.md b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/README.md new file mode 100644 index 0000000000..879c936445 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/README.md @@ -0,0 +1,9 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a ClusterPolicy targets the `ConfigMap` and `CustomResourceDefinition` resource. + +## Steps + +1. - Create a ClusterPolicy targeting `ConfigMap` and `CustomResourceDefinition` + - Assert polices get ready +1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/chainsaw-test.yaml new file mode 100755 index 0000000000..cd334f3a55 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-clusterpolicy-namespaced-clusterscoped-resources +spec: + steps: + - name: step-01 + try: + - apply: + file: clusterpolicy.yaml + - assert: + file: clusterpolicy-assert.yaml + - name: step-02 + try: + - assert: + file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy-assert.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml new file mode 100644 index 0000000000..1ec38d8f18 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'ConfigMap' + - 'CustomResourceDefinition' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/webhooks.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/webhooks.yaml new file mode 100644 index 0000000000..16efe5042c --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/webhooks.yaml @@ -0,0 +1,33 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - configmaps + scope: Namespaced + - apiGroups: + - apiextensions.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - customresourcedefinitions + scope: '*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/README.md b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/README.md new file mode 100644 index 0000000000..357f9dc7cf --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/README.md @@ -0,0 +1,10 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a Policy targets the `Secret` resource and ClusterPolicy targets the `ConfigMap` resource. + +## Steps + +1. - Create a Policy targeting `Secret` + - Create a ClusterPolicy targeting `ConfigMap` + - Assert polices get ready +1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/chainsaw-test.yaml new file mode 100755 index 0000000000..8b27fa3850 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-clusterpolicy-namespaced-resources +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - apply: + file: clusterpolicy.yaml + - assert: + file: policy-assert.yaml + - assert: + file: clusterpolicy-assert.yaml + - name: step-02 + try: + - assert: + file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy-assert.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml new file mode 100644 index 0000000000..c8ff72949e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'ConfigMap' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy-assert.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy-assert.yaml new file mode 100644 index 0000000000..bc25d0fdf8 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml new file mode 100644 index 0000000000..78bebbcb69 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'Secret' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/webhooks.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/webhooks.yaml new file mode 100644 index 0000000000..bd8efe5cdc --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/webhooks.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - '' + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - 'configmaps' + - 'secrets' + scope: 'Namespaced' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/README.md b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/README.md new file mode 100644 index 0000000000..e1e32a464d --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/README.md @@ -0,0 +1,10 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a Policy and ClusterPolicy target the `ConfigMap` resource. + +## Steps + +1. - Create a Policy targeting `ConfigMap` + - Create a ClusterPolicy targeting `ConfigMap` + - Assert polices get ready +1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/chainsaw-test.yaml new file mode 100755 index 0000000000..4e864f82e0 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-clusterpolicy-same-resource +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - apply: + file: clusterpolicy.yaml + - assert: + file: policy-assert.yaml + - assert: + file: clusterpolicy-assert.yaml + - name: step-02 + try: + - assert: + file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy-assert.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml new file mode 100644 index 0000000000..c8ff72949e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'ConfigMap' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy-assert.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy-assert.yaml new file mode 100644 index 0000000000..bc25d0fdf8 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml new file mode 100644 index 0000000000..7f8e054959 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'ConfigMap' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/webhooks.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/webhooks.yaml new file mode 100644 index 0000000000..ba197fde8e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/webhooks.yaml @@ -0,0 +1,21 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - '' + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - 'configmaps' + scope: 'Namespaced' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/README.md b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/README.md new file mode 100644 index 0000000000..89fc2793e3 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/README.md @@ -0,0 +1,10 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a Policy and ClusterPolicy target all `*` resources. + +## Steps + +1. - Create a Policy targeting `*` + - Create a ClusterPolicy targeting `*` + - Assert policies get ready +1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/chainsaw-test.yaml new file mode 100755 index 0000000000..7f4cdc79bf --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-clusterpolicy-wildcard-resource +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - apply: + file: clusterpolicy.yaml + - assert: + file: policy-assert.yaml + - assert: + file: clusterpolicy-assert.yaml + - name: step-02 + try: + - assert: + file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy-assert.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml new file mode 100644 index 0000000000..ce9f80c1e3 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - '*' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy-assert.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy-assert.yaml new file mode 100644 index 0000000000..bc25d0fdf8 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml new file mode 100644 index 0000000000..d0975a89f4 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - '*' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/webhooks.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/webhooks.yaml new file mode 100644 index 0000000000..281adc9a9f --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/webhooks.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - '*' + - pods/ephemeralcontainers + scope: '*' diff --git a/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/README.md b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/README.md new file mode 100644 index 0000000000..4e82a5f05c --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/README.md @@ -0,0 +1,4 @@ +## Description + +This test tries to create a Policy which targets a clusterscoped resource. +The policy should be rejected. diff --git a/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/chainsaw-test.yaml new file mode 100755 index 0000000000..6a90c8516b --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/chainsaw-test.yaml @@ -0,0 +1,14 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-clusterscope-resource +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml new file mode 100644 index 0000000000..f7711bd6fe --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'CustomResourceDefinition' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/README.md b/test/conformance/chainsaw/webhooks/policy-different-resource-group/README.md new file mode 100644 index 0000000000..e67e081b68 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/README.md @@ -0,0 +1,10 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a Policy targets all `*` resources. + +## Steps + +1. - Create a policy targeting `Deployment` + Create a policy targeting `Configmap` + - Assert policies gets ready +1. - Assert that the resource validation webhook is configured correctly and two rules are created with scope is set to "namespaced" diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/chainsaw-test.yaml new file mode 100755 index 0000000000..2ea6bcfb55 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-different-resource-group +spec: + steps: + - name: step-01 + try: + - apply: + file: policy-1.yaml + - assert: + file: policy-1-assert.yaml + - name: step-2 + try: + - apply: + file: policy-2.yaml + - assert: + file: policy-2-assert.yaml + - name: step-3 + try: + - assert: + file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1-assert.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1-assert.yaml new file mode 100644 index 0000000000..fec91ba384 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: policy-1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml new file mode 100644 index 0000000000..ca237157c6 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: policy-1 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'Deployment' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2-assert.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2-assert.yaml new file mode 100644 index 0000000000..56e180daeb --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: policy-2 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml new file mode 100644 index 0000000000..bec3ea8a72 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: policy-2 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - 'ConfigMap' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/webhooks.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/webhooks.yaml new file mode 100644 index 0000000000..58fb6ac425 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/webhooks.yaml @@ -0,0 +1,33 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - configmaps + scope: Namespaced + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - deployments + scope: Namespaced diff --git a/test/conformance/chainsaw/webhooks/wildcard/README.md b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/README.md similarity index 65% rename from test/conformance/chainsaw/webhooks/wildcard/README.md rename to test/conformance/chainsaw/webhooks/policy-wildcard-resource/README.md index cfa667ac58..d6eceeea72 100644 --- a/test/conformance/chainsaw/webhooks/wildcard/README.md +++ b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/README.md @@ -1,9 +1,9 @@ ## Description -This test verifies the resource validation webhook is configured correctly when a policy targets all `*` resources. +This test verifies the resource validation webhook is configured correctly when a ClusterPolicy targets all `*` resources. ## Steps -1. - Create a policy targeting `*` +1. - Create a ClusterPolicy targeting `*` - Assert policy gets ready 1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/chainsaw-test.yaml new file mode 100755 index 0000000000..00ab170846 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-wildcard-resource +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy-assert.yaml b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml new file mode 100644 index 0000000000..ce9f80c1e3 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - '*' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/webhooks.yaml b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/webhooks.yaml new file mode 100644 index 0000000000..281adc9a9f --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/webhooks.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - '*' + - pods/ephemeralcontainers + scope: '*' diff --git a/test/conformance/chainsaw/webhooks/policy/README.md b/test/conformance/chainsaw/webhooks/policy/README.md new file mode 100644 index 0000000000..41062362b7 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy/README.md @@ -0,0 +1,9 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a Policy targets all `*` resources. + +## Steps + +1. - Create a Policy targeting `*` + - Assert Policy gets ready +1. - Assert that the resource validation webhook is configured correctly and scope is set to "namespaced" diff --git a/test/conformance/chainsaw/webhooks/wildcard/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/policy/chainsaw-test.yaml similarity index 94% rename from test/conformance/chainsaw/webhooks/wildcard/chainsaw-test.yaml rename to test/conformance/chainsaw/webhooks/policy/chainsaw-test.yaml index ed85b22947..773eb2e3c5 100755 --- a/test/conformance/chainsaw/webhooks/wildcard/chainsaw-test.yaml +++ b/test/conformance/chainsaw/webhooks/policy/chainsaw-test.yaml @@ -2,7 +2,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null - name: wildcard + name: policy spec: steps: - name: step-01 diff --git a/test/conformance/chainsaw/webhooks/policy/policy-assert.yaml b/test/conformance/chainsaw/webhooks/policy/policy-assert.yaml new file mode 100644 index 0000000000..bc25d0fdf8 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/policy/policy.yaml b/test/conformance/chainsaw/webhooks/policy/policy.yaml new file mode 100644 index 0000000000..d0975a89f4 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - '*' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/policy/webhooks.yaml b/test/conformance/chainsaw/webhooks/policy/webhooks.yaml new file mode 100644 index 0000000000..544aa42117 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/policy/webhooks.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - '*' + - pods/ephemeralcontainers + scope: 'Namespaced'