mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
fix: kyverno test wrongly finds 'patchedResource mismatch' due to wrong order in array (#8362)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
0688c9b369
commit
954415a311
4 changed files with 575 additions and 0 deletions
13
test/cli/test-mutate/bug-demo/kyverno-test.yaml
Normal file
13
test/cli/test-mutate/bug-demo/kyverno-test.yaml
Normal file
|
@ -0,0 +1,13 @@
|
|||
name: bug-demo
|
||||
policies:
|
||||
- ./policy.yaml
|
||||
resources:
|
||||
- ./resource.yaml
|
||||
results:
|
||||
- policy: bug-demo
|
||||
rule: mutate1
|
||||
resources:
|
||||
- pod1
|
||||
kind: Pod
|
||||
patchedResource: patched-resource-pattern.yaml
|
||||
result: pass
|
289
test/cli/test-mutate/bug-demo/patched-resource-pattern.yaml
Normal file
289
test/cli/test-mutate/bug-demo/patched-resource-pattern.yaml
Normal file
|
@ -0,0 +1,289 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: pod1
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- image: dummy
|
||||
name: main-1
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1
|
||||
- image: dummy
|
||||
name: main-2
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: false
|
||||
runAsNonRoot: false
|
||||
- image: dummy
|
||||
name: main-3
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
runAsNonRoot: true
|
||||
- image: dummy
|
||||
name: main-4
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
privileged: false
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
- image: dummy
|
||||
name: main-5
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
privileged: false
|
||||
- image: dummy
|
||||
name: main-6
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: false
|
||||
runAsUser: 0
|
||||
- image: dummy
|
||||
name: main-7
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: false
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
- image: dummy
|
||||
name: main-8
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: false
|
||||
runAsNonRoot: false
|
||||
runAsUser: 1
|
||||
- image: dummy
|
||||
name: main-9
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: false
|
||||
runAsUser: 1
|
||||
- image: dummy
|
||||
name: main-10
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
- image: dummy
|
||||
name: main-11
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
- image: dummy
|
||||
name: main-12
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
- image: dummy
|
||||
name: main-13
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
runAsNonRoot: false
|
||||
runAsUser: 1
|
||||
- image: dummy
|
||||
name: main-14
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
runAsUser: 1
|
||||
- image: dummy
|
||||
name: main-15
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
runAsNonRoot: false
|
||||
- image: dummy
|
||||
name: main-16
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
runAsUser: 0
|
||||
- image: dummy
|
||||
name: main-17
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
- image: dummy
|
||||
name: main-18
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1
|
||||
- image: dummy
|
||||
name: main-19
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1
|
||||
- image: dummy
|
||||
name: main-20
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
privileged: true
|
||||
runAsUser: 0
|
||||
- image: dummy
|
||||
name: main-21
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
privileged: true
|
||||
- image: dummy
|
||||
name: main-22
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
- image: dummy
|
||||
name: main-23
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: true
|
||||
runAsNonRoot: false
|
||||
runAsUser: 1
|
||||
- image: dummy
|
||||
name: main-24
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: true
|
||||
runAsUser: 1
|
||||
- image: dummy
|
||||
name: main-25
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: true
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
- image: dummy
|
||||
name: main-26
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- FOO
|
||||
drop:
|
||||
- SYS_ADMIN
|
||||
privileged: true
|
||||
runAsNonRoot: false
|
||||
- image: dummy
|
||||
name: main-27
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- FOO
|
||||
drop: []
|
||||
privileged: true
|
||||
runAsNonRoot: true
|
84
test/cli/test-mutate/bug-demo/policy.yaml
Normal file
84
test/cli/test-mutate/bug-demo/policy.yaml
Normal file
|
@ -0,0 +1,84 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: bug-demo
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: "none"
|
||||
spec:
|
||||
background: false
|
||||
validationFailureAction: enforce
|
||||
|
||||
rules:
|
||||
|
||||
- name: mutate1
|
||||
match:
|
||||
all:
|
||||
- resources:
|
||||
kinds:
|
||||
- v1/Pod
|
||||
mutate:
|
||||
foreach:
|
||||
- list: |-
|
||||
request.object.spec.containers || `[]`
|
||||
context:
|
||||
- name: container_path
|
||||
variable:
|
||||
value: "/spec/containers/{{ elementIndex }}"
|
||||
patchesJson6902: |-
|
||||
{{
|
||||
[
|
||||
contains(['main-1','main-3','main-11'], element.name)
|
||||
&&
|
||||
[
|
||||
{
|
||||
op: 'remove',
|
||||
path: join('/', [container_path, 'securityContext/capabilities/add'])
|
||||
}
|
||||
,
|
||||
{
|
||||
op: 'add',
|
||||
path: join('/', [container_path, 'securityContext/capabilities/drop'])
|
||||
value: ['ALL']
|
||||
}
|
||||
]
|
||||
|| `[]`
|
||||
,
|
||||
|
||||
contains(['main-2','main-6','main-7','main-8','main-9','main-10','main-16','main-17','main-19','main-22','main-23','main-24','main-25','main-26'], element.name)
|
||||
&&
|
||||
[
|
||||
{
|
||||
op: 'add',
|
||||
path: join('/', [container_path, 'securityContext/capabilities/add'])
|
||||
value: ['FOO']
|
||||
}
|
||||
,
|
||||
{
|
||||
op: 'add',
|
||||
path: join('/', [container_path, 'securityContext/capabilities', 'drop'])
|
||||
value: ['SYS_ADMIN']
|
||||
}
|
||||
]
|
||||
|| `[]`
|
||||
,
|
||||
|
||||
contains(['main-4','main-5','main-12','main-13','main-14','main-15','main-18','main-20','main-21','main-27'], element.name)
|
||||
&&
|
||||
[
|
||||
{
|
||||
op: 'add',
|
||||
path: join('/', [container_path, 'securityContext/capabilities/add'])
|
||||
value: ['SYS_ADMIN', 'FOO']
|
||||
}
|
||||
,
|
||||
{
|
||||
op: 'add',
|
||||
path: join('/', [container_path, 'securityContext/capabilities/drop'])
|
||||
value: `[]`
|
||||
}
|
||||
]
|
||||
|| `[]`
|
||||
][]
|
||||
|
|
||||
to_string(@)
|
||||
}}
|
189
test/cli/test-mutate/bug-demo/resource.yaml
Normal file
189
test/cli/test-mutate/bug-demo/resource.yaml
Normal file
|
@ -0,0 +1,189 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: pod1
|
||||
spec:
|
||||
containers:
|
||||
- name: main-1
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: false
|
||||
runAsUser: 1
|
||||
runAsNonRoot: true
|
||||
- name: main-2
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: false
|
||||
runAsNonRoot: false
|
||||
- name: main-3
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: false
|
||||
runAsNonRoot: true
|
||||
- name: main-4
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: false
|
||||
runAsUser: 0
|
||||
runAsNonRoot: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- name: main-5
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- name: main-6
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: true
|
||||
runAsUser: 0
|
||||
- name: main-7
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: true
|
||||
runAsUser: 0
|
||||
runAsNonRoot: true
|
||||
- name: main-8
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: true
|
||||
runAsUser: 1
|
||||
runAsNonRoot: false
|
||||
- name: main-9
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: true
|
||||
runAsUser: 1
|
||||
- name: main-10
|
||||
image: dummy
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsUser: 0
|
||||
runAsNonRoot: false
|
||||
- name: main-11
|
||||
image: dummy
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
- name: main-12
|
||||
image: dummy
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsUser: 0
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- name: main-13
|
||||
image: dummy
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsUser: 1
|
||||
runAsNonRoot: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- name: main-14
|
||||
image: dummy
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsUser: 1
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- name: main-15
|
||||
image: dummy
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- name: main-16
|
||||
image: dummy
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
- name: main-17
|
||||
image: dummy
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
- name: main-18
|
||||
image: dummy
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
runAsUser: 1
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- name: main-19
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: false
|
||||
runAsUser: 1
|
||||
runAsNonRoot: true
|
||||
- name: main-20
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: false
|
||||
runAsUser: 0
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- name: main-21
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
- name: main-22
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: true
|
||||
runAsUser: 0
|
||||
runAsNonRoot: true
|
||||
- name: main-23
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: true
|
||||
runAsUser: 1
|
||||
runAsNonRoot: false
|
||||
- name: main-24
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: true
|
||||
runAsUser: 1
|
||||
- name: main-25
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
runAsUser: 0
|
||||
runAsNonRoot: false
|
||||
- name: main-26
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
runAsNonRoot: false
|
||||
- name: main-27
|
||||
image: dummy
|
||||
securityContext:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
Loading…
Add table
Reference in a new issue