From 942814e942054545285134acf07019f3423f6d56 Mon Sep 17 00:00:00 2001 From: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Date: Mon, 8 May 2023 03:39:21 +0530 Subject: [PATCH] [Feature] Add kuttl tests with policy exceptions disabled (#7117) * added tests Signed-off-by: Ved Ratan * removed redundant code Signed-off-by: Ved Ratan * fix Signed-off-by: Ved Ratan * fix Signed-off-by: Ved Ratan * typo fix and README changes Signed-off-by: Ved Ratan * fix Signed-off-by: Ved Ratan --------- Signed-off-by: Ved Ratan --- .../cluster-policy/invalid-timeout/README.md | 2 +- .../policy-exceptions-disabled/00-policy.yaml | 6 ++++++ .../01-policy_exception.yaml | 4 ++++ .../02-resource.yaml | 5 +++++ .../policy-exceptions-disabled/README.md | 7 +++++++ .../policy-assert.yaml | 9 ++++++++ .../policy-exceptions-disabled/policy.yaml | 21 +++++++++++++++++++ .../policy_exception.yaml | 21 +++++++++++++++++++ .../policy-exceptions-disabled/resource.yaml | 10 +++++++++ 9 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/00-policy.yaml create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/01-policy_exception.yaml create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/02-resource.yaml create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/README.md create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy-assert.yaml create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/resource.yaml diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/invalid-timeout/README.md b/test/conformance/kuttl/policy-validation/cluster-policy/invalid-timeout/README.md index c787181e12..8c81c1c150 100644 --- a/test/conformance/kuttl/policy-validation/cluster-policy/invalid-timeout/README.md +++ b/test/conformance/kuttl/policy-validation/cluster-policy/invalid-timeout/README.md @@ -4,4 +4,4 @@ This test tries to create policies with invalid timeouts (`< 1` or `> 30`). ## Expected Behavior -Policies shoudl be rejected. +Policies should be rejected. diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/00-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/00-policy.yaml new file mode 100644 index 0000000000..b20ef0bd7d --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/00-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/01-policy_exception.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/01-policy_exception.yaml new file mode 100644 index 0000000000..3d58a1627c --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/01-policy_exception.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy_exception.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/02-resource.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/02-resource.yaml new file mode 100644 index 0000000000..c20f0dfc04 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/02-resource.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: resource.yaml + shouldFail: true \ No newline at end of file diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/README.md b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/README.md new file mode 100644 index 0000000000..c2aa0dccf9 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test is attempting to create a resource with the label "app: my-test-app", which would typically violate the policy defined. However, there is a policy exception defined for resources with the same label, which should bypass the policy. Since the Policy Exception feature has not been enabled, the resource will be blocked by the policy instead of being allowed. + +## Expected Behavior + +The Pod should be blocked. \ No newline at end of file diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy-assert.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy-assert.yaml new file mode 100644 index 0000000000..996222eb02 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-app-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml new file mode 100644 index 0000000000..f69ca35c45 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-app-label +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-app-label + match: + any: + - resources: + kinds: + - Pod + - Deployment + validate: + message: Pod must include the 'app=my-app' label + pattern: + metadata: + labels: + app: my-app \ No newline at end of file diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml new file mode 100644 index 0000000000..92a5a4e769 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: label-exception + namespace: default +spec: + exceptions: + - policyName: require-app-label + ruleNames: + - require-app-label + match: + any: + - resources: + kinds: + - Pod + - Deployment + namespaces: + - default + selector: + matchLabels: + app: my-test-app diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/resource.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/resource.yaml new file mode 100644 index 0000000000..8fbfab9c00 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/policy-exceptions-disabled/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: my-pod + labels: + app: my-test-app +spec: + containers: + - name: nginx + image: nginx