mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

chore: more e2e matrix based jobs (#10984)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-09-03 00:24:55 +02:00 committed by GitHub
parent 24b5e6ddde
commit 96965eb229
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 171 additions and 305 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
.github/actions/run-tests/action.yaml vendored
View file

@ -4,15 +4,21 @@ inputs:
k8s-version:
description: Kubernetes version
required: true
config:
description: Chainsaw config
required: true
tests:
description: Test regex
required: true
kind-config:
description: Kind cluster config
default: ./scripts/config/kind/default.yaml
kyverno-configs:
description: Kyverno configs
default: standard
token:
description: GH token
required: true
chainsaw-config:
description: Chainsaw config
default: ../../../.chainsaw.yaml
chainsaw-tests:
description: Test regex
required: true
runs:
using: composite
steps:
@ -28,7 +34,7 @@ runs:
with:
node_image: kindest/node:${{ inputs.k8s-version }}
cluster_name: kind
config: ./scripts/config/kind/default.yaml
config: ${{ inputs.kind-config }}
# deploy kyverno
- name: Download kyverno images archive
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@ -44,7 +50,7 @@ runs:
run: |
set -e
export HELM=${{ steps.helm.outputs.helm-path }}
export USE_CONFIG=standard
export USE_CONFIG=${{ inputs.kyverno-configs }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
@ -55,7 +61,7 @@ runs:
GITHUB_TOKEN: ${{ inputs.token }}
run: |
set -e
cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ inputs.tests }}' --config ../../../.chainsaw.yaml
cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ inputs.chainsaw-tests }}' --config ${{ inputs.chainsaw-config }}
# debug
- name: Debug failure
if: failure()

388
.github/workflows/conformance.yaml vendored
View file

@ -89,7 +89,7 @@ jobs:
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).assert }}
@ -99,16 +99,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
autogen:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).autogen }}
@ -118,16 +118,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
background-only:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).background-only }}
@ -137,16 +137,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
cleanup:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).cleanup }}
@ -156,16 +156,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
deferred:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).deferred }}
@ -175,16 +175,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
events:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).events }}
@ -194,16 +194,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
exceptions:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).exceptions }}
@ -213,16 +213,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
filter:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).filter }}
@ -232,16 +232,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
generate:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).generate }}
@ -251,16 +251,36 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
generate-validating-admission-policy:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).generate-validating-admission-policy }}
needs: [ prepare-images, define-matrix ]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
kind-config: ./scripts/config/kind/vap-v1beta1.yaml
kyverno-configs: standard,generate-validating-admission-policy
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
globalcontext:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).globalcontext }}
@ -270,16 +290,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
lease:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).lease }}
@ -289,16 +309,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
mutate:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).mutate }}
@ -308,16 +328,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
policy-validation:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).policy-validation }}
@ -327,16 +347,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
rangeoperators:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).rangeoperators }}
@ -346,17 +366,18 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
rbac:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
kyverno-configs: [ standard, default ]
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).rbac }}
needs: [ prepare-images, define-matrix ]
@ -365,16 +386,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: ${{ matrix.kyverno-configs }}
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
reports:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).reports }}
@ -384,16 +405,35 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
ttl:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).ttl }}
needs: [ prepare-images, define-matrix ]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
kyverno-configs: standard,ttl
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
validate:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).validate }}
@ -403,16 +443,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
verify-manifests:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).verify-manifests }}
@ -422,16 +462,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
verifyImages:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).verifyImages }}
@ -441,16 +481,36 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
webhook-configurations:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).webhook-configurations }}
needs: [ prepare-images, define-matrix ]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
kind-config: ./scripts/config/kind/vap-v1beta1.yaml
kyverno-configs: standard,generate-validating-admission-policy
token: ${{ secrets.GITHUB_TOKEN }}
chainsaw-tests: ${{ matrix.tests }}
webhooks:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
tests: ${{ fromJSON(needs.define-matrix.outputs.tests).webhooks }}
@ -460,80 +520,16 @@ jobs:
- uses: ./.github/actions/run-tests
with:
k8s-version: ${{ matrix.k8s-version }}
config: standard
tests: ${{ matrix.tests }}
kyverno-configs: standard
token: ${{ secrets.GITHUB_TOKEN }}
k8s-version-specific-tests-above-1-28:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
k8s-version:
- v1.28.13
- v1.29.8
- v1.30.4
- v1.31.0
tests:
- generate-validating-admission-policy
- webhook-configurations
needs: prepare-images
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# install tools
- name: Install helm
id: helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
- name: Install chainsaw
uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
# create cluster
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
node_image: kindest/node:${{ matrix.k8s-version }}
cluster_name: kind
config: ./scripts/config/kind/vap-v1beta1.yaml
# deploy kyverno
- name: Download kyverno images archive
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
shell: bash
run: |
set -e
kind load image-archive kyverno.tar --name kind
- name: Install kyverno
shell: bash
run: |
set -e
export HELM=${{ steps.helm.outputs.helm-path }}
export USE_CONFIG=standard,generate-validating-admission-policy
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
# run tests
- name: Test with Chainsaw
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml
# debug
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
chainsaw-tests: ${{ matrix.tests }}
validatingadmissionpolicies-reports-v1beta1:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version:
- v1.28.13
@ -596,7 +592,7 @@ jobs:
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version:
- v1.28.13
@ -655,75 +651,12 @@ jobs:
if: failure()
uses: ./.github/actions/kyverno-logs
ttl:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
k8s-version:
- v1.28.13
- v1.29.8
- v1.30.4
- v1.31.0
tests:
- ttl
needs: prepare-images
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# install tools
- name: Install helm
id: helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
- name: Install chainsaw
uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
# create cluster
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
node_image: kindest/node:${{ matrix.k8s-version }}
cluster_name: kind
config: ./scripts/config/kind/default.yaml
# deploy kyverno
- name: Download kyverno images archive
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
shell: bash
run: |
set -e
kind load image-archive kyverno.tar --name kind
- name: Install kyverno
shell: bash
run: |
set -e
export HELM=${{ steps.helm.outputs.helm-path }}
export USE_CONFIG=standard,ttl
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
# run tests
- name: Test with Chainsaw
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml
# debug
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
custom-sigstore:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version:
- v1.28.x
@ -800,73 +733,10 @@ jobs:
if: failure()
uses: ./.github/actions/kyverno-logs
default:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
k8s-version:
- v1.28.13
- v1.29.8
- v1.30.4
- v1.31.0
tests:
- rbac
needs: prepare-images
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# install tools
- name: Install helm
id: helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
- name: Install chainsaw
uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
# create cluster
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
node_image: kindest/node:${{ matrix.k8s-version }}
cluster_name: kind
config: ./scripts/config/kind/default.yaml
# deploy kyverno
- name: Download kyverno images archive
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
shell: bash
run: |
set -e
kind load image-archive kyverno.tar --name kind
- name: Install kyverno
shell: bash
run: |
set -e
export HELM=${{ steps.helm.outputs.helm-path }}
export USE_CONFIG=default
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
# run tests
- name: Test with Chainsaw
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml
# debug
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
policy-library:
runs-on: ubuntu-latest
strategy:
fail-fast: false
fail-fast: true
matrix:
k8s-version:
- v1.28.13
@ -1030,7 +900,7 @@ jobs:
permissions:
packages: read
strategy:
fail-fast: false
fail-fast: true
matrix:
tests:
- ^cli$
@ -1086,6 +956,7 @@ jobs:
- exceptions
- filter
- generate
- generate-validating-admission-policy
- globalcontext
- lease
- mutate
@ -1097,13 +968,12 @@ jobs:
- validate
- verify-manifests
- verifyImages
- webhook-configurations
- webhooks
- ttl
- force-failure-policy-ignore
- k8s-version-specific-tests-above-1-28
- validatingadmissionpolicies-reports-v1beta1
- custom-sigstore
- default
- monitor-helm-secret-size
- check-tests
runs-on: ubuntu-latest
@ -1123,6 +993,7 @@ jobs:
- exceptions
- filter
- generate
- generate-validating-admission-policy
- globalcontext
- lease
- mutate
@ -1134,13 +1005,12 @@ jobs:
- validate
- verify-manifests
- verifyImages
- webhook-configurations
- webhooks
- ttl
- force-failure-policy-ignore
- k8s-version-specific-tests-above-1-28
- validatingadmissionpolicies-reports-v1beta1
- custom-sigstore
- default
- monitor-helm-secret-size
- check-tests
runs-on: ubuntu-latest

2
hack/chainsaw-matrix/main.go
View file

@ -14,7 +14,7 @@ import (
"github.com/kyverno/chainsaw/pkg/discovery"
)
const chunkSize = 12
const chunkSize = 16
func main() {
tests, err := discovery.DiscoverTests("chainsaw-test.yaml", nil, false, "../../test/conformance/chainsaw")

62
test/conformance/chainsaw/e2e-matrix.json
View file

@ -3,8 +3,7 @@
"^assert$/^(old-object-exists)\\[.*\\]$"
],
"autogen": [
"^autogen$/^(assert-autogen|conditions|conditions-deprecated|deployment-cronjob|deployment-cronjob-deprecated|deployment-statefulset-job|foreach-jsonpatch|none|none-deprecated|only-cronjob|only-deployment|restrict-image-registries)\\[.*\\]$",
"^autogen$/^(should-autogen|should-autogen-deprecated|should-not-autogen|should-not-autogen-deprecated)\\[.*\\]$"
"^autogen$/^(assert-autogen|conditions|conditions-deprecated|deployment-cronjob|deployment-cronjob-deprecated|deployment-statefulset-job|foreach-jsonpatch|none|none-deprecated|only-cronjob|only-deployment|restrict-image-registries|should-autogen|should-autogen-deprecated|should-not-autogen|should-not-autogen-deprecated)\\[.*\\]$"
],
"background-only": [
"^background-only$/^cluster-policy$/^(no-admission-event|no-admission-event-deprecated|no-admission-report|no-admission-report-deprecated|not-rejected|not-rejected-deprecated)\\[.*\\]$",
@ -32,9 +31,8 @@
"^events$/^policy$/^(policy-applied|policy-applied-deprecated|policy-violation|policy-violation-deprecated)\\[.*\\]$"
],
"exceptions": [
"^exceptions$/^(allows-rejects-creation|applies-to-delete|conditions|events-creation|exclude-capabilities|exclude-ephemeral-containers|exclude-host-ports|exclude-host-process-and-host-namespaces|exclude-hostpath-volume|exclude-privilege-escalation|exclude-privileged-containers|exclude-restricted-capabilities)\\[.*\\]$",
"^exceptions$/^(exclude-restricted-seccomp|exclude-running-as-nonroot|exclude-running-as-nonroot-user|exclude-seccomp|exclude-selinux|exclude-sysctls|exclude-volume-types|good-bad-conditions|multiple-exceptions|multiple-exceptions-with-pod-security|only-for-specific-user|psa-run-as-non-root)\\[.*\\]$",
"^exceptions$/^(with-wildcard)\\[.*\\]$",
"^exceptions$/^(allows-rejects-creation|applies-to-delete|conditions|events-creation|exclude-capabilities|exclude-ephemeral-containers|exclude-host-ports|exclude-host-process-and-host-namespaces|exclude-hostpath-volume|exclude-privilege-escalation|exclude-privileged-containers|exclude-restricted-capabilities|exclude-restricted-seccomp|exclude-running-as-nonroot|exclude-running-as-nonroot-user|exclude-seccomp)\\[.*\\]$",
"^exceptions$/^(exclude-selinux|exclude-sysctls|exclude-volume-types|good-bad-conditions|multiple-exceptions|multiple-exceptions-with-pod-security|only-for-specific-user|psa-run-as-non-root|with-wildcard)\\[.*\\]$",
"^exceptions$/^background-mode$/^(standard)\\[.*\\]$"
],
"filter": [
@ -52,17 +50,15 @@
"^force-failure-policy-ignore$/^cluster-policy$/^(fail|fail-deprecated)\\[.*\\]$"
],
"generate": [
"^generate$/^clusterpolicy$/^cornercases$/^(clone-list-sync-same-trigger-source-delete-source|clone-list-sync-same-trigger-source-update-source|clone-role-and-rolebinding|clone-source-name-exceeds-63-characters|clone-sync-same-trigger-source-delete-source|clone-sync-same-trigger-source-update-source|cpol-clone-create-on-trigger-deletion|cpol-clone-delete-ownerreferences-across-namespaces|cpol-clone-delete-ownerreferences-across-namespaces-deprecated|cpol-clone-sync-create-source-after-policy|cpol-clone-sync-reinstall-policy|cpol-clone-sync-reinstall-policy-deprecated)\\[.*\\]$",
"^generate$/^clusterpolicy$/^cornercases$/^(cpol-clone-sync-single-source-multiple-triggers-targets|cpol-clone-sync-single-source-multiple-triggers-targets-deprecated|cpol-clone-sync-single-trigger-source-multiple-targets|cpol-data-create-on-trigger-deletion|cpol-data-sync-create-upon-generated-resource|cpol-data-sync-no-creation-upon-generated-resource|cpol-data-sync-remove-list-element|cpol-data-sync-to-nosync-delete-rule|cpol-data-sync-to-nosync-delete-rule-deprecated|cpol-data-trigger-not-present|data-role-and-rolebinding|generate-event-upon-edit)\\[.*\\]$",
"^generate$/^clusterpolicy$/^cornercases$/^(pod-restart-on-cm-update|pod-restart-on-cm-update-deprecated|trigger-resource-name-exceeds-63-characters)\\[.*\\]$",
"^generate$/^clusterpolicy$/^cornercases$/^(clone-list-sync-same-trigger-source-delete-source|clone-list-sync-same-trigger-source-update-source|clone-role-and-rolebinding|clone-source-name-exceeds-63-characters|clone-sync-same-trigger-source-delete-source|clone-sync-same-trigger-source-update-source|cpol-clone-create-on-trigger-deletion|cpol-clone-delete-ownerreferences-across-namespaces|cpol-clone-delete-ownerreferences-across-namespaces-deprecated|cpol-clone-sync-create-source-after-policy|cpol-clone-sync-reinstall-policy|cpol-clone-sync-reinstall-policy-deprecated|cpol-clone-sync-single-source-multiple-triggers-targets|cpol-clone-sync-single-source-multiple-triggers-targets-deprecated|cpol-clone-sync-single-trigger-source-multiple-targets|cpol-data-create-on-trigger-deletion)\\[.*\\]$",
"^generate$/^clusterpolicy$/^cornercases$/^(cpol-data-sync-create-upon-generated-resource|cpol-data-sync-no-creation-upon-generated-resource|cpol-data-sync-remove-list-element|cpol-data-sync-to-nosync-delete-rule|cpol-data-sync-to-nosync-delete-rule-deprecated|cpol-data-trigger-not-present|data-role-and-rolebinding|generate-event-upon-edit|pod-restart-on-cm-update|pod-restart-on-cm-update-deprecated|trigger-resource-name-exceeds-63-characters)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^clone$/^multiple$/^sync$/^(basic-create)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^clone$/^nosync$/^(cpol-clone-nosync-create|cpol-clone-nosync-delete-downstream|cpol-clone-nosync-delete-policy|cpol-clone-nosync-delete-rule|cpol-clone-nosync-delete-source|cpol-clone-nosync-delete-trigger|cpol-clone-nosync-modify-downstream|cpol-clone-nosync-modify-source|cpol-clone-nosync-update-trigger-no-match)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-list-sync-create|cpol-clone-list-sync-create-deprecated|cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update|cpol-clone-list-sync-update-deprecated|cpol-clone-sync-create|cpol-clone-sync-delete-downstream|cpol-clone-sync-delete-policy|cpol-clone-sync-delete-rule|cpol-clone-sync-delete-source|cpol-clone-sync-delete-trigger|cpol-clone-sync-existing-update-trigger-no-precondition)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-sync-existing-update-trigger-no-precondition-deprecated|cpol-clone-sync-modify-downstream|cpol-clone-sync-modify-downstream-apply|cpol-clone-sync-modify-source|cpol-clone-sync-no-existing-update-trigger-no-precondition|cpol-clone-sync-update-trigger-no-match)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-list-sync-create|cpol-clone-list-sync-create-deprecated|cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update|cpol-clone-list-sync-update-deprecated|cpol-clone-sync-create|cpol-clone-sync-delete-downstream|cpol-clone-sync-delete-policy|cpol-clone-sync-delete-rule|cpol-clone-sync-delete-source|cpol-clone-sync-delete-trigger|cpol-clone-sync-existing-update-trigger-no-precondition|cpol-clone-sync-existing-update-trigger-no-precondition-deprecated|cpol-clone-sync-modify-downstream|cpol-clone-sync-modify-downstream-apply|cpol-clone-sync-modify-source)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-sync-no-existing-update-trigger-no-precondition|cpol-clone-sync-update-trigger-no-match)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^data$/^nosync$/^(cpol-data-nosync-delete-downstream|cpol-data-nosync-delete-policy|cpol-data-nosync-delete-rule|cpol-data-nosync-delete-trigger|cpol-data-nosync-modify-downstream|cpol-data-nosync-modify-rule|cpol-data-nosync-update-trigger-no-match|generate-on-subresource-trigger)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^data$/^nosync-deprecated$/^(cpol-data-nosync-delete-downstream|cpol-data-nosync-delete-policy|cpol-data-nosync-delete-rule|cpol-data-nosync-modify-downstream|cpol-data-nosync-modify-rule|generate-on-subresource-trigger)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-downstream|cpol-data-sync-delete-one-trigger|cpol-data-sync-delete-policy|cpol-data-sync-delete-rule|cpol-data-sync-delete-trigger|cpol-data-sync-existing-update-trigger-no-precondition|cpol-data-sync-modify-downstream|cpol-data-sync-modify-policy|cpol-data-sync-modify-rule|cpol-data-sync-mutate-and-generate|cpol-data-sync-no-existing-update-trigger-no-precondition)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^data$/^sync$/^(cpol-data-sync-orphan-downstream-delete-policy|cpol-data-sync-update-trigger-no-match)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-downstream|cpol-data-sync-delete-one-trigger|cpol-data-sync-delete-policy|cpol-data-sync-delete-rule|cpol-data-sync-delete-trigger|cpol-data-sync-existing-update-trigger-no-precondition|cpol-data-sync-modify-downstream|cpol-data-sync-modify-policy|cpol-data-sync-modify-rule|cpol-data-sync-mutate-and-generate|cpol-data-sync-no-existing-update-trigger-no-precondition|cpol-data-sync-orphan-downstream-delete-policy|cpol-data-sync-update-trigger-no-match)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^data$/^sync-deprecated$/^(cpol-data-sync-create|cpol-data-sync-delete-downstream|cpol-data-sync-delete-policy|cpol-data-sync-delete-rule|cpol-data-sync-existing-update-trigger-no-precondition|cpol-data-sync-modify-downstream|cpol-data-sync-modify-rule|cpol-data-sync-orphan-downstream-delete-policy)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^existing$/^(different-configurations-for-generate-existing|different-generate-existing-values|different-generate-existing-values-reorder|existing-basic-add-rule-data|existing-basic-create-policy-data|existing-basic-create-policy-preconditions-data|existing-with-wildcard-name-matching)\\[.*\\]$",
"^generate$/^clusterpolicy$/^standard$/^existing-deprecated$/^(existing-basic-add-rule-data|existing-basic-create-policy-data|existing-basic-create-policy-preconditions-data)\\[.*\\]$",
@ -80,10 +76,9 @@
"^generate$/^validation$/^policy$/^(cloneList|immutable-clone|immutable-clonelist|immutable-downstream|immutable-rule-spec|permissions|prevent-loop|target-namespace-scope|use-generate-existing-on-policy-update)\\[.*\\]$"
],
"generate-validating-admission-policy": [
"^generate-validating-admission-policy$/^clusterpolicy$/^standard$/^generate$/^(block-ephemeral-containers|block-exec-in-pods|cpol-all-match-resource|cpol-any-exclude-namespace-match-resource|cpol-any-exclude-resource|cpol-any-exclude-resource-match-with-namespace-selector|cpol-any-exclude-resource-match-with-object-selector|cpol-any-match-multiple-resources|cpol-any-match-resource|cpol-any-match-resources-by-names|cpol-match-all-exclude-one|cpol-match-kind-with-wildcard)\\[.*\\]$",
"^generate-validating-admission-policy$/^clusterpolicy$/^standard$/^generate$/^(cpol-match-resource-in-specific-namespace|cpol-with-an-exception|cpol-with-an-exception-excluding-namespaces|cpol-with-two-exceptions)\\[.*\\]$",
"^generate-validating-admission-policy$/^clusterpolicy$/^standard$/^skip-generate$/^(cpol-any-match-multiple-resources-with-namespace-selector|cpol-any-match-multiple-resources-with-object-selector|cpol-any-match-resources-by-names-with-wildcard|cpol-any-match-resources-in-namespaces-with-wildcard|cpol-any-match-resources-with-different-namespace-selectors|cpol-any-match-resources-with-different-object-selectors|cpol-exclude-resources-in-specific-namespace|cpol-exclude-resources-with-namespace-selector|cpol-exclude-resources-with-object-selector|cpol-exclude-user-and-roles|cpol-match-resource-created-by-user|cpol-match-resource-using-annotations)\\[.*\\]$",
"^generate-validating-admission-policy$/^clusterpolicy$/^standard$/^skip-generate$/^(cpol-multiple-all-match-resources|cpol-multiple-rules|cpol-multiple-validation-failure-action-overrides|cpol-non-cel-rule|cpol-validation-failure-action-overrides-with-namespace|cpol-with-exception-and-conditions|cpol-with-exception-and-namespace-selector|cpol-with-exception-and-object-selector|cpol-with-exception-in-specific-namespace)\\[.*\\]$"
"^generate-validating-admission-policy$/^clusterpolicy$/^standard$/^generate$/^(block-ephemeral-containers|block-exec-in-pods|cpol-all-match-resource|cpol-any-exclude-namespace-match-resource|cpol-any-exclude-resource|cpol-any-exclude-resource-match-with-namespace-selector|cpol-any-exclude-resource-match-with-object-selector|cpol-any-match-multiple-resources|cpol-any-match-resource|cpol-any-match-resources-by-names|cpol-match-all-exclude-one|cpol-match-kind-with-wildcard|cpol-match-resource-in-specific-namespace|cpol-with-an-exception|cpol-with-an-exception-excluding-namespaces|cpol-with-two-exceptions)\\[.*\\]$",
"^generate-validating-admission-policy$/^clusterpolicy$/^standard$/^skip-generate$/^(cpol-any-match-multiple-resources-with-namespace-selector|cpol-any-match-multiple-resources-with-object-selector|cpol-any-match-resources-by-names-with-wildcard|cpol-any-match-resources-in-namespaces-with-wildcard|cpol-any-match-resources-with-different-namespace-selectors|cpol-any-match-resources-with-different-object-selectors|cpol-exclude-resources-in-specific-namespace|cpol-exclude-resources-with-namespace-selector|cpol-exclude-resources-with-object-selector|cpol-exclude-user-and-roles|cpol-match-resource-created-by-user|cpol-match-resource-using-annotations|cpol-multiple-all-match-resources|cpol-multiple-rules|cpol-multiple-validation-failure-action-overrides|cpol-non-cel-rule)\\[.*\\]$",
"^generate-validating-admission-policy$/^clusterpolicy$/^standard$/^skip-generate$/^(cpol-validation-failure-action-overrides-with-namespace|cpol-with-exception-and-conditions|cpol-with-exception-and-namespace-selector|cpol-with-exception-and-object-selector|cpol-with-exception-in-specific-namespace)\\[.*\\]$"
],
"globalcontext": [
"^globalcontext$/^(apicall-correct|apicall-failed|gctxentry-not-exist|not-ready|resource-correct|validate-apicall-data|validate-crd|validate-reference)\\[.*\\]$"
@ -95,9 +90,8 @@
"^mutate$/^cascading$/^(first-rule-is-foreach|no-foreach|two-foreach-rules)\\[.*\\]$",
"^mutate$/^clusterpolicy$/^cornercases$/^(cascading-mutation|defaulting-namespace-labels|jmespath-with-special-chars|mutate-using-default-context|mutate-with-404-api-call|trigger-name-exceeds-63-characters|variables-mutate-existing|variables-mutate-existing-deprecated)\\[.*\\]$",
"^mutate$/^clusterpolicy$/^standard$/^(basic-check-output|mutate-node-status|userInfo-roles-clusterRoles)\\[.*\\]$",
"^mutate$/^clusterpolicy$/^standard$/^existing$/^(background-false|background-false(deprecated)|basic-create|basic-create(deprecated)|basic-create-patchesJson6902|basic-create-patchesJson6902(deprecated)|basic-delete|basic-delete(deprecated)|basic-update|basic-update(deprecated)|delete-trigger-namespace|delete-trigger-namespace(deprecated))\\[.*\\]$",
"^mutate$/^clusterpolicy$/^standard$/^existing$/^(descending-patchJson6902|multiple-rules-match-exclude|multiple-rules-match-exclude(deprecated)|multiple-trigger-resources|multiple-trigger-resources(deprecated)|mutate-existing-node-status|mutate-pod-on-binding-request|namespaceselector|namespaceselector(deprecated)|preconditions|preconditions(deprecated)|target-context)\\[.*\\]$",
"^mutate$/^clusterpolicy$/^standard$/^existing$/^(target-preconditions)\\[.*\\]$",
"^mutate$/^clusterpolicy$/^standard$/^existing$/^(background-false|background-false(deprecated)|basic-create|basic-create(deprecated)|basic-create-patchesJson6902|basic-create-patchesJson6902(deprecated)|basic-delete|basic-delete(deprecated)|basic-update|basic-update(deprecated)|delete-trigger-namespace|delete-trigger-namespace(deprecated)|descending-patchJson6902|multiple-rules-match-exclude|multiple-rules-match-exclude(deprecated)|multiple-trigger-resources)\\[.*\\]$",
"^mutate$/^clusterpolicy$/^standard$/^existing$/^(multiple-trigger-resources(deprecated)|mutate-existing-node-status|mutate-pod-on-binding-request|namespaceselector|namespaceselector(deprecated)|preconditions|preconditions(deprecated)|target-context|target-preconditions)\\[.*\\]$",
"^mutate$/^clusterpolicy$/^standard$/^existing$/^onpolicyupdate$/^(basic-create-policy|basic-create-policy(deprecated)|different-configurations-for-mutate-existing|different-mutate-existing-values|namespaceselector|namespaceselector(deprecated))\\[.*\\]$",
"^mutate$/^clusterpolicy$/^standard$/^existing$/^validation$/^(mutate-existing-require-targets|mutate-existing-require-targets(deprecated)|target-variable-validation|target-variable-validation(deprecated))\\[.*\\]$",
"^mutate$/^clusterpolicy$/^standard$/^existing$/^validation$/^auth-check$/^(cpol-namespace-variable|cpol-namespace-variable(deprecated)|cpol-standard-auth-check|cpol-standard-auth-check(deprecated))\\[.*\\]$",
@ -110,8 +104,7 @@
"^mutate$/^refactor$/^simple$/^(remove-multiple-elements-in-ascending-order|remove-multiple-elements-in-descending-order)\\[.*\\]$"
],
"policy-validation": [
"^policy-validation$/^cluster-policy$/^(admission-disabled|all-disabled|assert|background-subresource|background-variables-update|cel-expressions|deprecated-operations|invalid-pod-security-exceptions|invalid-pod-security-rule|invalid-subject-kind|invalid-timeout|invalid-timeout-deprecated)\\[.*\\]$",
"^policy-validation$/^cluster-policy$/^(policy-exceptions-disabled|schema-validation-crd|success|target-context)\\[.*\\]$",
"^policy-validation$/^cluster-policy$/^(admission-disabled|all-disabled|assert|background-subresource|background-variables-update|cel-expressions|deprecated-operations|invalid-pod-security-exceptions|invalid-pod-security-rule|invalid-subject-kind|invalid-timeout|invalid-timeout-deprecated|policy-exceptions-disabled|schema-validation-crd|success|target-context)\\[.*\\]$",
"^policy-validation$/^policy$/^(admission-disabled|all-disabled|assert|background-subresource|invalid-timeout)\\[.*\\]$"
],
"rangeoperators": [
@ -129,9 +122,8 @@
],
"validate": [
"^validate$/^anchors$/^(conditional|conditional-deprecated)\\[.*\\]$",
"^validate$/^clusterpolicy$/^cornercases$/^(apply-on-deletion|apply-on-deletion-deprecated|cel-messages-upon-resource-failure|cel-messages-upon-resource-failure-deprecated|check-message-upon-resource-failure|check-message-upon-resource-failure-deprecated|different-configuration-for-actions|ephemeral-containers|ephemeral-containers-deprecated|external-metrics|external-metrics-deprecated|invalid-jmespath-variable-substitution)\\[.*\\]$",
"^validate$/^clusterpolicy$/^cornercases$/^(invalid-jmespath-variable-substitution-deprecated|psa-run-as-non-root|schema-validation-for-mutateExisting|schema-validation-for-mutateExisting-deprecated|two-rules-with-different-action|validate-pattern-should-fail|validate-pattern-should-fail-deprecated|validate-pattern-should-pass|validate-pattern-should-pass-deprecated|validate-pattern-should-skip|validate-pattern-should-skip-deprecated|variable-substitution-failure-messages)\\[.*\\]$",
"^validate$/^clusterpolicy$/^cornercases$/^(variable-substitution-failure-messages-deprecated)\\[.*\\]$",
"^validate$/^clusterpolicy$/^cornercases$/^(apply-on-deletion|apply-on-deletion-deprecated|cel-messages-upon-resource-failure|cel-messages-upon-resource-failure-deprecated|check-message-upon-resource-failure|check-message-upon-resource-failure-deprecated|different-configuration-for-actions|ephemeral-containers|ephemeral-containers-deprecated|external-metrics|external-metrics-deprecated|invalid-jmespath-variable-substitution|invalid-jmespath-variable-substitution-deprecated|psa-run-as-non-root|schema-validation-for-mutateExisting|schema-validation-for-mutateExisting-deprecated)\\[.*\\]$",
"^validate$/^clusterpolicy$/^cornercases$/^(two-rules-with-different-action|validate-pattern-should-fail|validate-pattern-should-fail-deprecated|validate-pattern-should-pass|validate-pattern-should-pass-deprecated|validate-pattern-should-skip|validate-pattern-should-skip-deprecated|variable-substitution-failure-messages|variable-substitution-failure-messages-deprecated)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^(gvk|gvk-deprecated|subresource|subresource-deprecated)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^apicalls$/^(lazyload|subjectaccessreview)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^apicalls-deprecated$/^(lazyload|subjectaccessreview)\\[.*\\]$",
@ -151,14 +143,13 @@
"^validate$/^clusterpolicy$/^standard$/^enforce-deprecated$/^(api-initiated-pod-eviction|block-pod-exec-requests|bypass-with-policy-exception|csr|enforce-validate-existing|failure-policy-ignore-anchor|ns-selector-with-wildcard-kind|operator-allnotin-01|operator-anyin-boolean|resource-apply-block|scaling-with-kubectl-scale)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^exclude$/^(exclude-namespace|exclude-namespace(deprecated))\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^operations$/^(only-update|only-update(deprecated))\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^psa$/^(concurrent-policy-execution|seccomp-latest-check-no-exclusion|test-deletion-request|test-exclusion-capabilities|test-exclusion-host-namespaces|test-exclusion-host-ports|test-exclusion-hostpath-volume|test-exclusion-hostprocesses|test-exclusion-privilege-escalation|test-exclusion-privileged-containers|test-exclusion-restricted-capabilities|test-exclusion-restricted-seccomp)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^psa$/^(test-exclusion-running-as-nonroot|test-exclusion-running-as-nonroot-user|test-exclusion-seccomp|test-exclusion-selinux|test-exclusion-sysctls|test-exclusion-volume-types)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^psa-deprecated$/^(seccomp-latest-check-no-exclusion|test-deletion-request|test-exclusion-capabilities|test-exclusion-host-namespaces|test-exclusion-host-ports|test-exclusion-hostpath-volume|test-exclusion-hostprocesses|test-exclusion-privilege-escalation|test-exclusion-privileged-containers|test-exclusion-restricted-capabilities|test-exclusion-restricted-seccomp|test-exclusion-running-as-nonroot)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^psa-deprecated$/^(test-exclusion-running-as-nonroot-user|test-exclusion-seccomp|test-exclusion-selinux|test-exclusion-sysctls|test-exclusion-volume-types)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^psa$/^(concurrent-policy-execution|seccomp-latest-check-no-exclusion|test-deletion-request|test-exclusion-capabilities|test-exclusion-host-namespaces|test-exclusion-host-ports|test-exclusion-hostpath-volume|test-exclusion-hostprocesses|test-exclusion-privilege-escalation|test-exclusion-privileged-containers|test-exclusion-restricted-capabilities|test-exclusion-restricted-seccomp|test-exclusion-running-as-nonroot|test-exclusion-running-as-nonroot-user|test-exclusion-seccomp|test-exclusion-selinux)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^psa$/^(test-exclusion-sysctls|test-exclusion-volume-types)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^psa-deprecated$/^(seccomp-latest-check-no-exclusion|test-deletion-request|test-exclusion-capabilities|test-exclusion-host-namespaces|test-exclusion-host-ports|test-exclusion-hostpath-volume|test-exclusion-hostprocesses|test-exclusion-privilege-escalation|test-exclusion-privileged-containers|test-exclusion-restricted-capabilities|test-exclusion-restricted-seccomp|test-exclusion-running-as-nonroot|test-exclusion-running-as-nonroot-user|test-exclusion-seccomp|test-exclusion-selinux|test-exclusion-sysctls)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^psa-deprecated$/^(test-exclusion-volume-types)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^variables$/^lazyload$/^(conditions|conditions-deprecated)\\[.*\\]$",
"^validate$/^clusterpolicy$/^standard$/^wildcard$/^(block-verifyimage|block-verifyimage-deprecated)\\[.*\\]$",
"^validate$/^e2e$/^(adding-key-to-config-map|adding-key-to-config-map-deprecated|global-anchor|global-anchor-deprecated|lowercase-kind-crd|lowercase-kind-crd-deprecated|old-object-exists|old-object-exists-deprecated|trusted-images|trusted-images-deprecated|x509-decode|x509-decode-deprecated)\\[.*\\]$",
"^validate$/^e2e$/^(yaml-signing|yaml-signing-deprecated)\\[.*\\]$"
"^validate$/^e2e$/^(adding-key-to-config-map|adding-key-to-config-map-deprecated|global-anchor|global-anchor-deprecated|lowercase-kind-crd|lowercase-kind-crd-deprecated|old-object-exists|old-object-exists-deprecated|trusted-images|trusted-images-deprecated|x509-decode|x509-decode-deprecated|yaml-signing|yaml-signing-deprecated)\\[.*\\]$"
],
"validating-admission-policy-reports": [
"^validating-admission-policy-reports$/^(events)\\[.*\\]$",
@ -169,16 +160,15 @@
],
"verifyImages": [
"^verifyImages$/^clusterpolicy$/^cornercases$/^(multiple-attestors)\\[.*\\]$",
"^verifyImages$/^clusterpolicy$/^standard$/^(configmap-context-lookup|empty-image|failure-policy-test-noconfigmap-diffimage-success|failure-policy-test-noconfigmap-diffimage-success-deprecated|imageExtractors-complex|imageExtractors-complex-keyless|imageExtractors-none|imageExtractors-simple|keyed-basic|keyed-basic-namespace-selector|keyed-oci11|keyed-secret)\\[.*\\]$",
"^verifyImages$/^clusterpolicy$/^standard$/^(keyed-tsa|keyless-attestation-invalid-attestor|keyless-attestation-regexp|keyless-attestations-multiple-subjects-1|keyless-attestations-multiple-subjects-2|keyless-attestations-multiple-subjects-3|keyless-attestations-multiple-subjects-4|keyless-attestations-multiple-subjects-counts-1|keyless-attestations-multiple-subjects-counts-2|keyless-attestations-multiple-subjects-counts-3|keyless-image-invalid-attestor|keyless-mutatedigest-verifydigest-required)\\[.*\\]$",
"^verifyImages$/^clusterpolicy$/^standard$/^(keyless-nomutatedigest-noverifydigest-norequired|keyless-nomutatedigest-noverifydigest-required|mutateDigest-noverifyDigest-norequired|noconfigmap-diffimage-success|nomutateDigest-verifyDigest-norequired|notary-attestation-verification|notary-image-verification|notary-image-verification-secret-from-policy|rollback-image-verification|sigstore-attestation-verification-regexp|sigstore-attestation-verification-test|sigstore-image-verification-test)\\[.*\\]$",
"^verifyImages$/^clusterpolicy$/^standard$/^(skip-image-reference|update-multi-containers|verify-image-background-audit|verify-image-background-basic|verify-image-background-existing|with-mutation)\\[.*\\]$"
"^verifyImages$/^clusterpolicy$/^standard$/^(configmap-context-lookup|empty-image|failure-policy-test-noconfigmap-diffimage-success|failure-policy-test-noconfigmap-diffimage-success-deprecated|imageExtractors-complex|imageExtractors-complex-keyless|imageExtractors-none|imageExtractors-simple|keyed-basic|keyed-basic-namespace-selector|keyed-oci11|keyed-secret|keyed-tsa|keyless-attestation-invalid-attestor|keyless-attestation-regexp|keyless-attestations-multiple-subjects-1)\\[.*\\]$",
"^verifyImages$/^clusterpolicy$/^standard$/^(keyless-attestations-multiple-subjects-2|keyless-attestations-multiple-subjects-3|keyless-attestations-multiple-subjects-4|keyless-attestations-multiple-subjects-counts-1|keyless-attestations-multiple-subjects-counts-2|keyless-attestations-multiple-subjects-counts-3|keyless-image-invalid-attestor|keyless-mutatedigest-verifydigest-required|keyless-nomutatedigest-noverifydigest-norequired|keyless-nomutatedigest-noverifydigest-required|mutateDigest-noverifyDigest-norequired|noconfigmap-diffimage-success|nomutateDigest-verifyDigest-norequired|notary-attestation-verification|notary-image-verification|notary-image-verification-secret-from-policy)\\[.*\\]$",
"^verifyImages$/^clusterpolicy$/^standard$/^(rollback-image-verification|sigstore-attestation-verification-regexp|sigstore-attestation-verification-test|sigstore-image-verification-test|skip-image-reference|update-multi-containers|verify-image-background-audit|verify-image-background-basic|verify-image-background-existing|with-mutation)\\[.*\\]$"
],
"webhook-configurations": [
"^webhook-configurations$/^(cpol-match-conditions-block|cpol-match-conditions-pass|match-conditions-standard|match-conditions-userinfo|webhook-registeration)\\[.*\\]$"
],
"webhooks": [
"^webhooks$/^(all-scale|clusterpolicy|double-wildcard|dyn-op-mutate|dyn-op-mutate-multiple|dyn-op-validate|dyn-op-validate-and-mutate|dyn-op-validate-multiple|expected-webhooks|only-pod|pod-all-subresources|pod-exec-subresource)\\[.*\\]$",
"^webhooks$/^(policy|policy-clusterpolicy-different-resource-group|policy-clusterpolicy-namespaced-clusterscoped-resources|policy-clusterpolicy-namespaced-resources|policy-clusterpolicy-same-resource|policy-clusterpolicy-wildcard-resource|policy-clusterscope-resource|policy-different-resource-group|policy-wildcard-resource|scale|unknown-kind)\\[.*\\]$"
"^webhooks$/^(all-scale|clusterpolicy|double-wildcard|dyn-op-mutate|dyn-op-mutate-multiple|dyn-op-validate|dyn-op-validate-and-mutate|dyn-op-validate-multiple|expected-webhooks|only-pod|pod-all-subresources|pod-exec-subresource|policy|policy-clusterpolicy-different-resource-group|policy-clusterpolicy-namespaced-clusterscoped-resources|policy-clusterpolicy-namespaced-resources)\\[.*\\]$",
"^webhooks$/^(policy-clusterpolicy-same-resource|policy-clusterpolicy-wildcard-resource|policy-clusterscope-resource|policy-different-resource-group|policy-wildcard-resource|scale|unknown-kind)\\[.*\\]$"
]
}