mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
feat: add chainsaw tests for generate policies (part 1) (#10551)
* feat: add chainsaw tests for generate policies (part 1) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chore: rename deprecated chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy
GitHub
parent
75fb7e1d1a
commit
8d44864a61
243 changed files with 3585 additions and 34 deletions
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This tests that the ownerReferences of cloned objects in different Namespaces are removed. Otherwise these objects will be immediately garbage-collected
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The background controller will strip the ownerReference when cloning between Namespaces, if it exists.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
- https://github.com/kyverno/kyverno/issues/2276
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- script:
|
||||
content: |
|
||||
kubectl -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns get configmap owner -o json | jq '{
|
||||
"metadata": {
|
||||
"ownerReferences": [{
|
||||
"apiVersion": "v1",
|
||||
"kind": "ConfigMap",
|
||||
"name": "owner",
|
||||
"uid": .metadata.uid
|
||||
}]
|
||||
}
|
||||
}' | kubectl patch -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns secret cpol-clone-delete-ownerreferences-across-namespaces --patch-file=/dev/stdin
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: trigger.yaml
|
||||
- assert:
|
||||
file: created-secret.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- script:
|
||||
content: |
|
||||
kubectl --namespace cpol-clone-delete-ownerreferences-across-namespaces-target-ns get secret cpol-clone-delete-ownerreferences-across-namespaces -o json | jq -e '.metadata.ownerReferences == null'
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces
|
||||
namespace: cpol-clone-delete-ownerreferences-across-namespaces-target-ns
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces-source-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: owner
|
||||
namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces
|
||||
namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces
|
||||
namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns
|
||||
kind: Secret
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: clone-secret
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces-target-ns
|
||||
|
|
@ -24,9 +24,9 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: true
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: cpol-clone-delete-ownerreferences-across-namespaces
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
## Description
|
||||
|
||||
This is a corner case test to ensure a generate clone rule can be triggered on the deletion of the trigger resource. It also ensures upgrades to 1.10 are successful for the same clone rule type.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
1. when the trigger is created, the corresponding downstream target secret should be generated
|
||||
2. delete the policy, update the source, then re-install the policy with generateExisting=true, the change should be synced to the downstream target
|
||||
3. update the source again, the change should be synced to the downstream target
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/7170
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: Zm9v
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-clone-sync-reinstall-policy
|
||||
spec:
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
kind: Secret
|
||||
name: regcred
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: sync-image-pull-secret
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-clone-sync-reinstall-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: Zm9v
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: Zm9v
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: aGVyZWlzY2hhbmdlZGRhdGE=
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-clone-sync-reinstall-policy
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
kind: Secret
|
||||
name: regcred
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: sync-image-pull-secret
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: aGVyZWlzY2hhbmdlZGRhdGE=
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: aGVyZWlzY2hhbmdlZGRhdGE=
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-clone-sync-reinstall-policy
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-2.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-3.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-2.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- assert:
|
||||
file: chainsaw-step-03-assert-1-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-03-assert-1-2.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- delete:
|
||||
ref:
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: cpol-clone-sync-reinstall-policy
|
||||
- name: step-05
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-05-apply-1-1.yaml
|
||||
- name: step-06
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-06-apply-1-1.yaml
|
||||
- name: step-07
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-08
|
||||
try:
|
||||
- assert:
|
||||
file: chainsaw-step-08-assert-1-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-08-assert-1-2.yaml
|
||||
- name: step-09
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-09-apply-1-1.yaml
|
||||
- name: step-10
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-11
|
||||
try:
|
||||
- assert:
|
||||
file: chainsaw-step-11-assert-1-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-11-assert-1-2.yaml
|
||||
|
|
@ -3,9 +3,9 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: cpol-clone-sync-reinstall-policy
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: true
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: regcred
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a corner case test to ensure the changes to the clone source can be synced to multiple targets.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the change from `foo=bar` to `foo=baz` is synced to downstream targets, the test passes. Otherwise fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/7170
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bar
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: foosource
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-clone-sync-single-source-multiple-targets
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: foosource
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
kind: ConfigMap
|
||||
name: footarget
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: rule-clone-sync-single-source-multiple-targets
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-clone-sync-single-source-multiple-targets
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bar
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: footarget
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bar
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: footarget
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: baz
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: foosource
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-ns
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: baz
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: footarget
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: baz
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: footarget
|
||||
namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-clone-sync-single-source-multiple-triggers-targets
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-2.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-3.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-2.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- assert:
|
||||
file: chainsaw-step-03-assert-1-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-03-assert-1-2.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-04-apply-1-1.yaml
|
||||
- name: step-05
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-06
|
||||
try:
|
||||
- assert:
|
||||
file: chainsaw-step-06-assert-1-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-06-assert-1-2.yaml
|
||||
|
|
@ -3,9 +3,9 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: cpol-clone-sync-single-source-multiple-targets
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: false
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: foosource
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that deletion of a rule in a ClusterPolicy generate rule, data declaration, with sync disabled, does not result in the downstream resource's deletion.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The downstream (generated) resource is expected to remain if the corresponding rule within a ClusterPolicy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-data-sync-to-nosync-delete-rule-ns
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-to-nosync-delete-rule
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: false
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: k-kafka-address
|
||||
- exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
type: Opaque
|
||||
kind: Secret
|
||||
name: supersecret
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: super-secret
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-data-sync-to-nosync-delete-rule
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-1.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- assert:
|
||||
file: secret.yaml
|
||||
- assert:
|
||||
file: configmap.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-04-apply-1-1.yaml
|
||||
- name: step-05
|
||||
try:
|
||||
- apply:
|
||||
file: delete-rule.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-06
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-07
|
||||
try:
|
||||
- assert:
|
||||
file: secret.yaml
|
||||
- assert:
|
||||
file: configmap.yaml
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: cpol-data-sync-to-nosync-delete-rule-ns
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: multiple-gens
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: super-secret
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: supersecret
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-to-nosync-delete-rule
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-to-nosync-delete-rule
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: k-kafka-address
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
- name: super-secret
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: supersecret
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
name: supersecret
|
||||
namespace: cpol-data-sync-to-nosync-delete-rule-ns
|
||||
type: Opaque
|
||||
|
|
@ -3,7 +3,6 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: cpol-data-sync-to-nosync-delete-rule
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- exclude:
|
||||
any:
|
||||
|
|
@ -14,6 +13,7 @@ spec:
|
|||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
generateExisting: false
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
|
|
@ -42,6 +42,7 @@ spec:
|
|||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
generateExisting: false
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: multiple-gens
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: super-secret
|
||||
match:
|
||||
|
|
@ -20,6 +19,7 @@ spec:
|
|||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: cpol-data-sync-to-nosync-delete-rule
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: k-kafka-address
|
||||
match:
|
||||
|
|
@ -20,6 +19,7 @@ spec:
|
|||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
|
|
@ -48,6 +48,7 @@ spec:
|
|||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
|
|
|||
|
|
@ -6,7 +6,6 @@ metadata:
|
|||
policies.kyverno.io/description: >-
|
||||
This policy generates and synchronizes a configmap for custom resource kube-state-metrics.
|
||||
spec:
|
||||
generateExisting: true
|
||||
schemaValidation: false
|
||||
rules:
|
||||
- name: generate-cm-for-kube-state-metrics-crds
|
||||
|
|
@ -23,6 +22,7 @@ spec:
|
|||
matchLabels:
|
||||
kubestatemetrics.platform.example: source
|
||||
generate:
|
||||
generateExisting: true
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test ensures that creation of a multiple target resource created by a ClusterPolicy `generate.cloneList` rule. If it is not generated, the test fails.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The cloned Secret and ConfigMap from the default namespace should exists in newly created namespace.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-clone-list-sync-create
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: manifests.yaml
|
||||
- apply:
|
||||
file: cluster-policy.yaml
|
||||
- assert:
|
||||
file: cluster-policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: resource-assert.yaml
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: sync-with-multi-clone
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: sync-with-multi-clone
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: sync-secret
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize : true
|
||||
cloneList:
|
||||
namespace: default
|
||||
kinds:
|
||||
- v1/Secret
|
||||
- v1/ConfigMap
|
||||
selector:
|
||||
matchLabels:
|
||||
allowedToBeCloned: "true"
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: bootstrap-config
|
||||
namespace: default
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
data:
|
||||
initial_lives: "15"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: image-secret
|
||||
namespace: default
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
type: kubernetes.io/basic-auth
|
||||
stringData:
|
||||
username: admin
|
||||
password: t0p-Secret-super
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: prod-1
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
password: dDBwLVNlY3JldC1zdXBlcg==
|
||||
username: YWRtaW4=
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
name: image-secret
|
||||
namespace: prod-1
|
||||
type: kubernetes.io/basic-auth
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
initial_lives: "15"
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
name: bootstrap-config
|
||||
namespace: prod-1
|
||||
|
|
@ -3,7 +3,6 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: sync-with-multi-clone
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: sync-secret
|
||||
match:
|
||||
|
|
@ -20,6 +19,7 @@ spec:
|
|||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
generateExisting: false
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize : true
|
||||
cloneList:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test verifies the synchronize behavior of generated resource, if the selected source resources using a matched label selector `allowedToBeCloned: "true"` gets changed, the update should be synchronized with the target resource as well.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
This test ensures that update of source resource(ConfigMap) match selected using `allowedToBeCloned: "true"` label get synchronized with target resource created by a ClusterPolicy `generate.cloneList` rule, otherwise the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
#4930
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-clone-list-sync-update
|
||||
spec:
|
||||
steps:
|
||||
- name: step-00
|
||||
try:
|
||||
- apply:
|
||||
file: manifests.yaml
|
||||
- apply:
|
||||
file: cluster-policy.yaml
|
||||
- assert:
|
||||
file: cluster-policy-ready.yaml
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: resource-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: resource-assert.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: update-source.yaml
|
||||
- assert:
|
||||
file: synchronized-target.yaml
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: sync-with-multi-clone-update
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: sync-with-multi-clone-update
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: sync-secret
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize : true
|
||||
cloneList:
|
||||
namespace: default
|
||||
kinds:
|
||||
- v1/Secret
|
||||
- v1/ConfigMap
|
||||
selector:
|
||||
matchLabels:
|
||||
allowedToBeCloned: "true"
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: bootstrap-config
|
||||
namespace: default
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
data:
|
||||
initial_lives: "15"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: image-secret
|
||||
namespace: default
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
type: kubernetes.io/basic-auth
|
||||
stringData:
|
||||
username: admin
|
||||
password: t0p-Secret-super
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: prod
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
password: dDBwLVNlY3JldC1zdXBlcg==
|
||||
username: YWRtaW4=
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
name: image-secret
|
||||
namespace: prod
|
||||
type: kubernetes.io/basic-auth
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
initial_lives: "15"
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
name: bootstrap-config
|
||||
namespace: prod
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
initial_lives: "50"
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
name: bootstrap-config
|
||||
namespace: prod
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: bootstrap-config
|
||||
namespace: default
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
data:
|
||||
initial_lives: "50"
|
||||
|
|
@ -3,7 +3,6 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: sync-with-multi-clone-update
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: sync-secret
|
||||
match:
|
||||
|
|
@ -20,6 +19,7 @@ spec:
|
|||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
generateExisting: false
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize : true
|
||||
cloneList:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that updates to a trigger which cause it to no longer match a precondition of the rule, with a generate clone declaration and sync enabled, results in the downstream resource's deletion.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource is deleted, the test passes. If it remains, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/7481
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-clone-sync-existing-update-trigger-no-precondition-ns
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
create: "true"
|
||||
name: test-org
|
||||
namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: source-secret
|
||||
namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-clone-sync-existing-update-trigger-no-precondition
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: source-secret
|
||||
namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns
|
||||
kind: Secret
|
||||
name: downstream-secret
|
||||
namespace: '{{request.object.metadata.namespace}}'
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
name: clone-secret
|
||||
preconditions:
|
||||
any:
|
||||
- key: '{{ request.object.metadata.labels.create || '''' }}'
|
||||
operator: Equals
|
||||
value: "true"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-clone-sync-existing-update-trigger-no-precondition
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
create: "false"
|
||||
name: test-org
|
||||
namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-clone-sync-existing-update-trigger-no-precondition
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-2.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-2.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1-1.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-04
|
||||
try:
|
||||
- assert:
|
||||
file: downstream.yaml
|
||||
- name: step-05
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-05-apply-1-1.yaml
|
||||
- name: step-06
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-07
|
||||
try:
|
||||
- error:
|
||||
file: downstream.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: downstream-secret
|
||||
namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns
|
||||
type: Opaque
|
||||
|
|
@ -3,9 +3,9 @@ kind: ClusterPolicy
|
|||
metadata:
|
||||
name: cpol-clone-sync-existing-update-trigger-no-precondition
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: true
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: source-secret
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
# Title
|
||||
|
||||
This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled deletes the downstream ConfigMap when matching a new Namespace.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the generated (downstream) resource is not recreated, the test passes. If it is recreated from the definition in the rule, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: zk-kafka-address
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: '{{request.object.metadata.name}}'
|
||||
synchronize: false
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
name: k-kafka-address
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: zk-kafka-address
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-downstream-ns
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: cpol-data-nosync-delete-downstream-ns
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: zk-kafka-address
|
||||
namespace: cpol-data-nosync-delete-downstream-ns
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-data-nosync-delete-downstream
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1-1.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-04
|
||||
try:
|
||||
- delete:
|
||||
ref:
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: cpol-data-nosync-delete-downstream-ns
|
||||
- name: step-05
|
||||
try:
|
||||
- error:
|
||||
file: chainsaw-step-05-error-1-1.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule with a data declaration and NO synchronization, when the ClusterPolicy is deleted does NOT cause the generated resources to be deleted.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource remains after deletion of the ClusterPolicy, the test passes. If it is deleted, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: wolfram-debug
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cpol-data-nosync-delete-policy
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
- assert:
|
||||
file: resource-generated.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- delete:
|
||||
ref:
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: cpol-data-nosync-delete-policy-policy
|
||||
- name: step-04
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-05
|
||||
try:
|
||||
- assert:
|
||||
file: chainsaw-step-05-assert-1-1.yaml
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-policy-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-policy-policy
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-delete-policy-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: wolfram-debug
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue