From 9f108b11cd6c1788a1d4a589d826b2fa55bf1679 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 1 Sep 2023 17:50:11 +0200 Subject: [PATCH] feat: add fix test cli command (#8213) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .../docs/{docs.go => command.go} | 0 cmd/cli/kubectl-kyverno/fix/command.go | 21 ++ cmd/cli/kubectl-kyverno/fix/test/command.go | 95 +++++++++ cmd/cli/kubectl-kyverno/fix/test/load.go | 61 ++++++ cmd/cli/kubectl-kyverno/main.go | 6 +- cmd/cli/kubectl-kyverno/test/api/types.go | 26 +-- docs/user/cli/kyverno.md | 1 + docs/user/cli/kyverno_fix.md | 37 ++++ docs/user/cli/kyverno_fix_test.md | 38 ++++ test/cli/registry/kyverno-test.yaml | 37 ++-- .../kyverno-test.yaml | 17 +- .../kyverno-test.yaml | 17 +- .../kyverno-test.yaml | 15 +- .../kyverno-test.yaml | 15 +- .../kyverno-test.yaml | 26 +-- .../kyverno-test.yaml | 15 +- .../kyverno-test.yaml | 13 +- .../kyverno-test.yaml | 15 +- .../test-fail/invalid-ns/kyverno-test.yaml | 15 +- .../missing-policy/kyverno-test.yaml | 15 +- .../missing-resource/kyverno-test.yaml | 15 +- .../test-fail/missing-rule/kyverno-test.yaml | 15 +- .../add-network-policy/kyverno-test.yaml | 17 +- .../test-generate/add-quota/kyverno-test.yaml | 30 +-- .../create-default-pdb/kyverno-test.yaml | 19 +- .../multiple-resources/kyverno-test.yaml | 30 +-- .../sync-secrets/kyverno-test.yaml | 19 +- .../foreach/addIfNotPresent/kyverno-test.yaml | 25 +-- .../foreach/cumulativePatch/kyverno-test.yaml | 17 +- .../cli/test-mutate/foreach/kyverno-test.yaml | 32 +-- .../foreach/replaceRegistry/kyverno-test.yaml | 25 +-- .../global-anchor/kyverno-test.yaml | 52 ++--- test/cli/test-mutate/kyverno-test.yaml | 185 ++++++++++-------- .../patched-resource/kyverno-test.yaml | 23 ++- .../admission_user_info/kyverno-test.yaml | 73 +++---- .../test/any-all-wildcard/kyverno-test.yaml | 43 ++-- .../any-namespaceSelector/kyverno-test.yaml | 20 +- .../anypattern_skip_error/kyverno-test.yaml | 48 ++--- test/cli/test/autogen/kyverno-test.yaml | 74 ++++--- .../test/container_reorder/kyverno-test.yaml | 34 ++-- .../test/context-entries/kyverno-test.yaml | 125 ++++++------ .../test/context-foreach/kyverno-test.yaml | 22 ++- .../test/custom-functions/kyverno-test.yaml | 137 +++++++------ .../default_value_to_create/kyverno-test.yaml | 26 +-- .../cli/test/depecated_apis/kyverno-test.yaml | 26 +-- .../test/exec-subresource/kyverno-test.yaml | 54 ++--- .../foreach-preconditions/kyverno-test.yaml | 26 +-- test/cli/test/foreach/kyverno-test.yaml | 114 ++++++----- test/cli/test/images/digest/kyverno-test.yaml | 30 +-- .../images/secure-images/kyverno-test.yaml | 23 +-- .../test/images/signatures/kyverno-test.yaml | 34 ++-- .../images/verify-signature/kyverno-test.yaml | 56 +++--- .../test/jmespath-brackets/kyverno-test.yaml | 70 ++++--- .../limit-configmap-for-sa/kyverno-test.yaml | 32 +-- .../verify-signature/kyverno-test.yaml | 37 ++-- test/cli/test/mixed/kyverno-test.yaml | 60 +++--- .../multiple_condition_keys/kyverno-test.yaml | 27 +-- .../kyverno-test.yaml | 26 +-- .../limit-duration/kyverno-test.yaml | 26 +-- test/cli/test/node-status/kyverno-test.yaml | 13 +- .../test/owner_references/kyverno-test.yaml | 25 +-- .../kyverno-test.yaml | 22 ++- test/cli/test/preconditions/kyverno-test.yaml | 26 +-- .../restrict_ingress_host/kyverno-test.yaml | 50 ++--- .../test/scale-subresource/kyverno-test.yaml | 19 +- test/cli/test/secret/kyverno-test.yaml | 30 +-- test/cli/test/simple/kyverno-test.yaml | 181 +++++++++-------- .../kyverno-test.yaml | 15 +- test/cli/test/variables/kyverno-test.yaml | 159 ++++++++------- .../kyverno-test.yaml | 59 +++--- .../test/wildcard_mutate/kyverno-test.yaml | 30 +-- 71 files changed, 1644 insertions(+), 1217 deletions(-) rename cmd/cli/kubectl-kyverno/docs/{docs.go => command.go} (100%) create mode 100644 cmd/cli/kubectl-kyverno/fix/command.go create mode 100644 cmd/cli/kubectl-kyverno/fix/test/command.go create mode 100644 cmd/cli/kubectl-kyverno/fix/test/load.go create mode 100644 docs/user/cli/kyverno_fix.md create mode 100644 docs/user/cli/kyverno_fix_test.md diff --git a/cmd/cli/kubectl-kyverno/docs/docs.go b/cmd/cli/kubectl-kyverno/docs/command.go similarity index 100% rename from cmd/cli/kubectl-kyverno/docs/docs.go rename to cmd/cli/kubectl-kyverno/docs/command.go diff --git a/cmd/cli/kubectl-kyverno/fix/command.go b/cmd/cli/kubectl-kyverno/fix/command.go new file mode 100644 index 0000000000..c0aafcecaf --- /dev/null +++ b/cmd/cli/kubectl-kyverno/fix/command.go @@ -0,0 +1,21 @@ +package fix + +import ( + "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix/test" + "github.com/spf13/cobra" +) + +func Command() *cobra.Command { + cmd := &cobra.Command{ + Use: "fix", + Short: "Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.", + Example: "", + RunE: func(cmd *cobra.Command, args []string) error { + return cmd.Help() + }, + } + cmd.AddCommand( + test.Command(), + ) + return cmd +} diff --git a/cmd/cli/kubectl-kyverno/fix/test/command.go b/cmd/cli/kubectl-kyverno/fix/test/command.go new file mode 100644 index 0000000000..8be247d55b --- /dev/null +++ b/cmd/cli/kubectl-kyverno/fix/test/command.go @@ -0,0 +1,95 @@ +package test + +import ( + "fmt" + "os" + "path/filepath" + + "github.com/spf13/cobra" + "sigs.k8s.io/yaml" +) + +func Command() *cobra.Command { + var fileName string + var save bool + cmd := &cobra.Command{ + Use: "test", + Short: "Fix inconsistencies and deprecated usage in Kyverno test files.", + Example: "", + RunE: func(cmd *cobra.Command, args []string) error { + var testCases []testCase + for _, arg := range args { + tests, err := loadTests(arg, fileName) + if err != nil { + return err + } + testCases = append(testCases, tests...) + } + for _, testCase := range testCases { + fmt.Printf("Processing test file (%s)...", testCase.path) + fmt.Println() + if testCase.err != nil { + fmt.Printf(" ERROR: loading test file (%s): %s", testCase.path, testCase.err) + fmt.Println() + continue + } + test := testCase.test + needsSave := false + if test.Name == "" { + fmt.Println(" WARNING: name is not set") + test.Name = filepath.Base(testCase.path) + needsSave = true + } + if len(test.Policies) == 0 { + fmt.Println(" WARNING: test has no policies") + } + if len(test.Resources) == 0 { + fmt.Println(" WARNING: test has no policies") + } + for i := range test.Results { + result := &test.Results[i] + if result.Resource != "" && len(result.Resources) != 0 { + fmt.Println(" WARNING: test result should not use both `resource` and `resources` fields") + } + if result.Resource != "" { + fmt.Println(" WARNING: test result uses deprecated `resource` field, moving it into the `resources` field") + result.Resources = append(result.Resources, result.Resource) + result.Resource = "" + needsSave = true + } + if result.Status != "" && result.Result != "" { + fmt.Println(" ERROR: test result should not use both `status` and `result` fields") + } + if result.Status != "" && result.Result == "" { + fmt.Println(" WARNING: test result uses deprecated `status` field, moving it into the `result` field") + result.Result = result.Status + result.Status = "" + needsSave = true + } + } + if save && needsSave { + fmt.Printf(" Saving test file (%s)...", testCase.path) + fmt.Println() + yamlBytes, err := yaml.Marshal(test) + if err != nil { + fmt.Printf(" ERROR: converting test to yaml: %s", err) + fmt.Println() + continue + } + if err := os.WriteFile(testCase.path, yamlBytes, os.ModePerm); err != nil { + fmt.Printf(" ERROR: saving test file (%s): %s", testCase.path, err) + fmt.Println() + continue + } + fmt.Println(" OK") + } + fmt.Println() + } + fmt.Println("Done.") + return nil + }, + } + cmd.Flags().StringVarP(&fileName, "file-name", "f", "kyverno-test.yaml", "Test filename") + cmd.Flags().BoolVar(&save, "save", false, "Save fixed file") + return cmd +} diff --git a/cmd/cli/kubectl-kyverno/fix/test/load.go b/cmd/cli/kubectl-kyverno/fix/test/load.go new file mode 100644 index 0000000000..49a0521463 --- /dev/null +++ b/cmd/cli/kubectl-kyverno/fix/test/load.go @@ -0,0 +1,61 @@ +package test + +import ( + "os" + "path/filepath" + + "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api" + "k8s.io/apimachinery/pkg/util/yaml" +) + +type testCase struct { + path string + test *api.Test + err error +} + +func loadTests(dirPath string, fileName string) ([]testCase, error) { + return loadLocalTest(filepath.Clean(dirPath), fileName) +} + +func loadLocalTest(path string, fileName string) ([]testCase, error) { + var tests []testCase + files, err := os.ReadDir(path) + if err != nil { + return nil, err + } + for _, file := range files { + if file.IsDir() { + ps, err := loadLocalTest(filepath.Join(path, file.Name()), fileName) + if err != nil { + return nil, err + } + tests = append(tests, ps...) + } else if file.Name() == fileName { + tests = append(tests, loadTest(path, file.Name())) + } + } + return tests, nil +} + +func loadTest(dirPath string, fileName string) testCase { + path := filepath.Join(dirPath, fileName) + yamlBytes, err := os.ReadFile(path) // #nosec G304 + if err != nil { + return testCase{ + path: path, + err: err, + } + } + var test api.Test + if err := yaml.UnmarshalStrict(yamlBytes, &test); err != nil { + return testCase{ + path: path, + err: err, + } + } + return testCase{ + path: path, + test: &test, + } +} diff --git a/cmd/cli/kubectl-kyverno/main.go b/cmd/cli/kubectl-kyverno/main.go index c3a2fea280..2d7ba8b3f2 100644 --- a/cmd/cli/kubectl-kyverno/main.go +++ b/cmd/cli/kubectl-kyverno/main.go @@ -9,6 +9,7 @@ import ( "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apply" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/create" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/docs" + "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/jp" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/oci" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test" @@ -58,6 +59,9 @@ func registerCommands(cli *cobra.Command) { version.Command(), ) if enableExperimental() { - cli.AddCommand(oci.Command()) + cli.AddCommand( + fix.Command(), + oci.Command(), + ) } } diff --git a/cmd/cli/kubectl-kyverno/test/api/types.go b/cmd/cli/kubectl-kyverno/test/api/types.go index 3c229a2396..e343f2a823 100644 --- a/cmd/cli/kubectl-kyverno/test/api/types.go +++ b/cmd/cli/kubectl-kyverno/test/api/types.go @@ -10,10 +10,10 @@ type Test struct { Name string `json:"name"` Policies []string `json:"policies"` Resources []string `json:"resources"` - Variables string `json:"variables"` - UserInfo string `json:"userinfo"` + Variables string `json:"variables,omitempty"` + UserInfo string `json:"userinfo,omitempty"` Results []TestResults `json:"results"` - Values *Values `json:"values"` + Values *Values `json:"values,omitempty"` } type TestResults struct { @@ -26,33 +26,33 @@ type TestResults struct { // IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy. // It's required in case policy is a validating admission policy. // +optional - IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy"` + IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy,omitempty"` // Result mentions the result that the user is expecting. // Possible values are pass, fail and skip. Result policyreportv1alpha2.PolicyResult `json:"result"` // Status mentions the status that the user is expecting. // Possible values are pass, fail and skip. - Status policyreportv1alpha2.PolicyResult `json:"status"` + Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"` // Resource mentions the name of the resource on which the policy is to be applied. - Resource string `json:"resource"` + Resource string `json:"resource,omitempty"` // Resources gives us the list of resources on which the policy is going to be applied. Resources []string `json:"resources"` // Kind mentions the kind of the resource on which the policy is to be applied. Kind string `json:"kind"` // Namespace mentions the namespace of the policy which has namespace scope. - Namespace string `json:"namespace"` + Namespace string `json:"namespace,omitempty"` // PatchedResource takes a resource configuration file in yaml format from // the user to compare it against the Kyverno mutated resource configuration. - PatchedResource string `json:"patchedResource"` - // AutoGeneratedRule is internally set by the CLI command. It takes values either - // autogen or autogen-cronjob. - AutoGeneratedRule string `json:"auto_generated_rule"` + PatchedResource string `json:"patchedResource,omitempty"` // GeneratedResource takes a resource configuration file in yaml format from // the user to compare it against the Kyverno generated resource configuration. - GeneratedResource string `json:"generatedResource"` + GeneratedResource string `json:"generatedResource,omitempty"` // CloneSourceResource takes the resource configuration file in yaml format // from the user which is meant to be cloned by the generate rule. - CloneSourceResource string `json:"cloneSourceResource"` + CloneSourceResource string `json:"cloneSourceResource,omitempty"` + // AutoGeneratedRule is internally set by the CLI command. It takes values either + // autogen or autogen-cronjob. + AutoGeneratedRule string `json:"auto_generated_rule,omitempty"` } type ReportResult struct { diff --git a/docs/user/cli/kyverno.md b/docs/user/cli/kyverno.md index d1d9c3f18a..7e2cd0c8b7 100644 --- a/docs/user/cli/kyverno.md +++ b/docs/user/cli/kyverno.md @@ -31,6 +31,7 @@ To enable experimental commands, KYVERNO_EXPERIMENTAL should be configured with * [kyverno completion](kyverno_completion.md) - Generate the autocompletion script for the specified shell * [kyverno create](kyverno_create.md) - Provides a command-line interface to help with the creation of various Kyverno resources. * [kyverno docs](kyverno_docs.md) - Generates documentation. +* [kyverno fix](kyverno_fix.md) - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources. * [kyverno jp](kyverno_jp.md) - Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions. * [kyverno oci](kyverno_oci.md) - Pulls/pushes images that include policie(s) from/to OCI registries. * [kyverno test](kyverno_test.md) - Run tests from directory. diff --git a/docs/user/cli/kyverno_fix.md b/docs/user/cli/kyverno_fix.md new file mode 100644 index 0000000000..74c904f570 --- /dev/null +++ b/docs/user/cli/kyverno_fix.md @@ -0,0 +1,37 @@ +## kyverno fix + +Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources. + +``` +kyverno fix [flags] +``` + +### Options + +``` + -h, --help help for fix +``` + +### Options inherited from parent commands + +``` + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) + --log_file string If non-empty, use this log file (no effect when -logtostderr=true) + --log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true) + --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` + +### SEE ALSO + +* [kyverno](kyverno.md) - Kubernetes Native Policy Management +* [kyverno fix test](kyverno_fix_test.md) - Fix inconsistencies and deprecated usage in Kyverno test files. + diff --git a/docs/user/cli/kyverno_fix_test.md b/docs/user/cli/kyverno_fix_test.md new file mode 100644 index 0000000000..7697baf16a --- /dev/null +++ b/docs/user/cli/kyverno_fix_test.md @@ -0,0 +1,38 @@ +## kyverno fix test + +Fix inconsistencies and deprecated usage in Kyverno test files. + +``` +kyverno fix test [flags] +``` + +### Options + +``` + -f, --file-name string Test filename (default "kyverno-test.yaml") + -h, --help help for test + --save Save fixed file +``` + +### Options inherited from parent commands + +``` + --add_dir_header If true, adds the file directory to the header of the log messages + --alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) + --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) + --log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) + --log_file string If non-empty, use this log file (no effect when -logtostderr=true) + --log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) + --logtostderr log to standard error instead of files (default true) + --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) + --skip_headers If true, avoid header prefixes in the log messages + --skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true) + --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) + -v, --v Level number for the log level verbosity + --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging +``` + +### SEE ALSO + +* [kyverno fix](kyverno_fix.md) - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources. + diff --git a/test/cli/registry/kyverno-test.yaml b/test/cli/registry/kyverno-test.yaml index 5e43763c7e..6183db6114 100644 --- a/test/cli/registry/kyverno-test.yaml +++ b/test/cli/registry/kyverno-test.yaml @@ -1,21 +1,24 @@ name: test-registry policies: - - image-example.yaml +- image-example.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: images - rule: only-allow-trusted-images - resource: test-pod-with-non-root-user-image - kind: Pod - status: pass - - policy: images - rule: only-allow-trusted-images - resource: test-pod-with-trusted-registry - kind: Pod - status: pass - - policy: check-image-base - rule: check-image-base-rule - resource: test-pod-with-trusted-registry - kind: Pod - status: pass +- kind: Pod + policy: images + resources: + - test-pod-with-non-root-user-image + result: pass + rule: only-allow-trusted-images +- kind: Pod + policy: images + resources: + - test-pod-with-trusted-registry + result: pass + rule: only-allow-trusted-images +- kind: Pod + policy: check-image-base + resources: + - test-pod-with-trusted-registry + result: pass + rule: check-image-base-rule diff --git a/test/cli/scenarios_to_cli/other/scenario_mutate_endpoint/kyverno-test.yaml b/test/cli/scenarios_to_cli/other/scenario_mutate_endpoint/kyverno-test.yaml index 8cbe45badc..309bbe1ed3 100644 --- a/test/cli/scenarios_to_cli/other/scenario_mutate_endpoint/kyverno-test.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_mutate_endpoint/kyverno-test.yaml @@ -1,12 +1,13 @@ name: policy-endpoints policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: policy-endpoints - rule: pEP - resource: test-endpoint - patchedresource: patchedresource.yaml - kind: Endpoints - result: pass +- kind: Endpoints + patchedResource: patchedresource.yaml + policy: policy-endpoints + resources: + - test-endpoint + result: pass + rule: pEP diff --git a/test/cli/scenarios_to_cli/other/scenario_mutate_pod_spec/kyverno-test.yaml b/test/cli/scenarios_to_cli/other/scenario_mutate_pod_spec/kyverno-test.yaml index 71dcfbfff3..37d2efe2c2 100644 --- a/test/cli/scenarios_to_cli/other/scenario_mutate_pod_spec/kyverno-test.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_mutate_pod_spec/kyverno-test.yaml @@ -1,12 +1,13 @@ name: mutate-pods-spec policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: mutate-pods-spec - rule: disable-servicelink-and-token - resource: nginx-deployment - patchedresource: patchedresource.yaml - kind: Deployment - result: pass +- kind: Deployment + patchedResource: patchedresource.yaml + policy: mutate-pods-spec + resources: + - nginx-deployment + result: pass + rule: disable-servicelink-and-token diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/kyverno-test.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/kyverno-test.yaml index 6489456141..1f2a5b0a77 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/kyverno-test.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/kyverno-test.yaml @@ -1,11 +1,12 @@ name: validate-default-proc-mount policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: validate-default-proc-mount - rule: validate-default-proc-mount - resource: nginx-proc-mount - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: validate-default-proc-mount + resources: + - nginx-proc-mount + result: pass + rule: validate-default-proc-mount diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml index 220fd5443e..becc5887bf 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml @@ -1,11 +1,12 @@ name: validate-disallow-default-serviceaccount policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: validate-disallow-default-serviceaccount - rule: prevent-mounting-default-serviceaccount - resource: pod-with-default-sa - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + policy: validate-disallow-default-serviceaccount + resources: + - pod-with-default-sa + result: fail + rule: prevent-mounting-default-serviceaccount diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_healthChecks/kyverno-test.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_healthChecks/kyverno-test.yaml index 7b7d2ee1a2..d61666210c 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_healthChecks/kyverno-test.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_healthChecks/kyverno-test.yaml @@ -1,16 +1,18 @@ name: check-probe-exists policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: check-probe-exists - rule: check-readinessProbe-exists - resource: probe - kind: Pod - result: pass - - policy: check-probe-exists - rule: check-livenessProbe-exists - resource: probe - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: check-probe-exists + resources: + - probe + result: pass + rule: check-readinessProbe-exists +- kind: Pod + policy: check-probe-exists + resources: + - probe + result: pass + rule: check-livenessProbe-exists diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/kyverno-test.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/kyverno-test.yaml index b03c3de4ca..c33da72c4e 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/kyverno-test.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/kyverno-test.yaml @@ -1,11 +1,12 @@ name: validate-selinux-options policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: validate-selinux-options - rule: validate-selinux-options - resource: busybox-selinux - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + policy: validate-selinux-options + resources: + - busybox-selinux + result: fail + rule: validate-selinux-options diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/kyverno-test.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/kyverno-test.yaml index d15f46d3cd..99640d28d2 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/kyverno-test.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/kyverno-test.yaml @@ -1,11 +1,12 @@ name: validate-volumes-whitelist policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: -- policy: validate-volumes-whitelist - rule: validate-volumes-whitelist - resource: test-volumes - kind: Pod +- kind: Pod + policy: validate-volumes-whitelist + resources: + - test-volumes result: pass + rule: validate-volumes-whitelist diff --git a/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml b/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml index 4c4adc26dd..cbc70c23bb 100644 --- a/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml +++ b/test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml @@ -1,11 +1,12 @@ name: restrict-ingress-classes policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-ingress-classes - rule: validate-ingress - resource: test-ingress - kind: Ingress - result: pass \ No newline at end of file +- kind: Ingress + policy: restrict-ingress-classes + resources: + - test-ingress + result: pass + rule: validate-ingress diff --git a/test/cli/test-fail/invalid-ns/kyverno-test.yaml b/test/cli/test-fail/invalid-ns/kyverno-test.yaml index d27f490f8e..3344744b86 100644 --- a/test/cli/test-fail/invalid-ns/kyverno-test.yaml +++ b/test/cli/test-fail/invalid-ns/kyverno-test.yaml @@ -1,11 +1,12 @@ name: test-exclude policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: restrict-labels - rule: restrict-labels - resource: kyverno-system-tst - kind: Namespace - result: fail +- kind: Namespace + policy: restrict-labels + resources: + - kyverno-system-tst + result: fail + rule: restrict-labels diff --git a/test/cli/test-fail/missing-policy/kyverno-test.yaml b/test/cli/test-fail/missing-policy/kyverno-test.yaml index 3341796829..a58aff57fb 100644 --- a/test/cli/test-fail/missing-policy/kyverno-test.yaml +++ b/test/cli/test-fail/missing-policy/kyverno-test.yaml @@ -1,11 +1,12 @@ name: test-simple policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: missing - rule: validate-image-tag - resource: test - kind: Pod - result: pass +- kind: Pod + policy: missing + resources: + - test + result: pass + rule: validate-image-tag diff --git a/test/cli/test-fail/missing-resource/kyverno-test.yaml b/test/cli/test-fail/missing-resource/kyverno-test.yaml index 3b4eb9ce3f..cf34d16c02 100644 --- a/test/cli/test-fail/missing-resource/kyverno-test.yaml +++ b/test/cli/test-fail/missing-resource/kyverno-test.yaml @@ -1,11 +1,12 @@ name: test-simple policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: disallow-latest-tag - rule: validate-image-tag - resource: missing - kind: Pod - result: pass +- kind: Pod + policy: disallow-latest-tag + resources: + - missing + result: pass + rule: validate-image-tag diff --git a/test/cli/test-fail/missing-rule/kyverno-test.yaml b/test/cli/test-fail/missing-rule/kyverno-test.yaml index c2bea69460..02bdcfc1b6 100644 --- a/test/cli/test-fail/missing-rule/kyverno-test.yaml +++ b/test/cli/test-fail/missing-rule/kyverno-test.yaml @@ -1,11 +1,12 @@ name: test-simple policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: disallow-latest-tag - rule: missing - resource: test - kind: Pod - status: pass +- kind: Pod + policy: disallow-latest-tag + resources: + - test + result: pass + rule: missing diff --git a/test/cli/test-generate/add-network-policy/kyverno-test.yaml b/test/cli/test-generate/add-network-policy/kyverno-test.yaml index ce51c9721e..5d8ad778cf 100644 --- a/test/cli/test-generate/add-network-policy/kyverno-test.yaml +++ b/test/cli/test-generate/add-network-policy/kyverno-test.yaml @@ -1,12 +1,13 @@ name: deny-all-traffic policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-networkpolicy - rule: default-deny - resource: hello-world-namespace - generatedResource: generatedResource.yaml - kind: Namespace - result: pass \ No newline at end of file +- generatedResource: generatedResource.yaml + kind: Namespace + policy: add-networkpolicy + resources: + - hello-world-namespace + result: pass + rule: default-deny diff --git a/test/cli/test-generate/add-quota/kyverno-test.yaml b/test/cli/test-generate/add-quota/kyverno-test.yaml index 24a7706928..09dae29d82 100644 --- a/test/cli/test-generate/add-quota/kyverno-test.yaml +++ b/test/cli/test-generate/add-quota/kyverno-test.yaml @@ -1,18 +1,20 @@ name: add-quota policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-ns-quota - rule: generate-resourcequota - resource: hello-world-namespace - generatedResource: generatedResourceQuota.yaml - kind: Namespace - result: pass - - policy: add-ns-quota - rule: generate-limitrange - resource: hello-world-namespace - generatedResource: generatedLimitRange.yaml - kind: Namespace - result: pass +- generatedResource: generatedResourceQuota.yaml + kind: Namespace + policy: add-ns-quota + resources: + - hello-world-namespace + result: pass + rule: generate-resourcequota +- generatedResource: generatedLimitRange.yaml + kind: Namespace + policy: add-ns-quota + resources: + - hello-world-namespace + result: pass + rule: generate-limitrange diff --git a/test/cli/test-generate/create-default-pdb/kyverno-test.yaml b/test/cli/test-generate/create-default-pdb/kyverno-test.yaml index 035e70bde0..6866bb05e6 100644 --- a/test/cli/test-generate/create-default-pdb/kyverno-test.yaml +++ b/test/cli/test-generate/create-default-pdb/kyverno-test.yaml @@ -1,13 +1,14 @@ name: pdb-test policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: create-default-pdb - rule: create-default-pdb - resource: nginx-deployment - generatedResource: generatedResource.yaml - kind: Deployment - result: pass - namespace: hello-world \ No newline at end of file +- generatedResource: generatedResource.yaml + kind: Deployment + namespace: hello-world + policy: create-default-pdb + resources: + - nginx-deployment + result: pass + rule: create-default-pdb diff --git a/test/cli/test-generate/multiple-resources/kyverno-test.yaml b/test/cli/test-generate/multiple-resources/kyverno-test.yaml index 75f928bb84..b9433de851 100644 --- a/test/cli/test-generate/multiple-resources/kyverno-test.yaml +++ b/test/cli/test-generate/multiple-resources/kyverno-test.yaml @@ -1,18 +1,20 @@ name: multiple-resources policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: test-policy - rule: rule - resource: resource-a - generatedResource: generated-resource-1.yaml - kind: Deployment - result: pass - - policy: test-policy - rule: rule - resource: resource-b - generatedResource: generated-resource-2.yaml - kind: Deployment - result: pass \ No newline at end of file +- generatedResource: generated-resource-1.yaml + kind: Deployment + policy: test-policy + resources: + - resource-a + result: pass + rule: rule +- generatedResource: generated-resource-2.yaml + kind: Deployment + policy: test-policy + resources: + - resource-b + result: pass + rule: rule diff --git a/test/cli/test-generate/sync-secrets/kyverno-test.yaml b/test/cli/test-generate/sync-secrets/kyverno-test.yaml index d1f42e1588..e446659e5f 100644 --- a/test/cli/test-generate/sync-secrets/kyverno-test.yaml +++ b/test/cli/test-generate/sync-secrets/kyverno-test.yaml @@ -1,13 +1,14 @@ name: sync-secrets policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: sync-secrets - rule: sync-image-pull-secret - resource: hello-world-namespace - generatedResource: generatedResource.yaml - cloneSourceResource: cloneSourceResource.yaml - kind: Namespace - result: pass \ No newline at end of file +- cloneSourceResource: cloneSourceResource.yaml + generatedResource: generatedResource.yaml + kind: Namespace + policy: sync-secrets + resources: + - hello-world-namespace + result: pass + rule: sync-image-pull-secret diff --git a/test/cli/test-mutate/foreach/addIfNotPresent/kyverno-test.yaml b/test/cli/test-mutate/foreach/addIfNotPresent/kyverno-test.yaml index d978d9c1ac..34eb10fbe1 100644 --- a/test/cli/test-mutate/foreach/addIfNotPresent/kyverno-test.yaml +++ b/test/cli/test-mutate/foreach/addIfNotPresent/kyverno-test.yaml @@ -1,12 +1,13 @@ -name: foreach-mutate -policies: - - policies.yaml -resources: - - resources.yaml -results: - - policy: mutate-emptydir - rule: setDefault - resource: svc-sizelimit-test - patchedResource: deploy-patched.yaml - kind: Deployment - result: pass +name: foreach-mutate +policies: +- policies.yaml +resources: +- resources.yaml +results: +- kind: Deployment + patchedResource: deploy-patched.yaml + policy: mutate-emptydir + resources: + - svc-sizelimit-test + result: pass + rule: setDefault diff --git a/test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml b/test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml index eba15a7eba..f71ae280b5 100644 --- a/test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml +++ b/test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml @@ -1,12 +1,13 @@ name: foreach-mutate policies: - - policies.yaml +- policies.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: add-default-resources - rule: add-default-requests - resource: badpod - patchedResource: patched.yaml - kind: Pod - result: pass +- kind: Pod + patchedResource: patched.yaml + policy: add-default-resources + resources: + - badpod + result: pass + rule: add-default-requests diff --git a/test/cli/test-mutate/foreach/kyverno-test.yaml b/test/cli/test-mutate/foreach/kyverno-test.yaml index a48ed44e5c..bb9fb21df5 100644 --- a/test/cli/test-mutate/foreach/kyverno-test.yaml +++ b/test/cli/test-mutate/foreach/kyverno-test.yaml @@ -1,19 +1,21 @@ name: foreach-mutate policies: - - policies.yaml +- policies.yaml resources: - - resources.yaml -variables: values.yaml +- resources.yaml results: - - policy: foreach-json-patch - rule: add-security-context - resource: nginx - patchedResource: patched-resource.yaml - kind: Pod - result: pass - - policy: mutate-images - rule: test - resource: mypod - patchedResource: pod-updated-image.yaml - kind: Pod - result: pass +- kind: Pod + patchedResource: patched-resource.yaml + policy: foreach-json-patch + resources: + - nginx + result: pass + rule: add-security-context +- kind: Pod + patchedResource: pod-updated-image.yaml + policy: mutate-images + resources: + - mypod + result: pass + rule: test +variables: values.yaml diff --git a/test/cli/test-mutate/foreach/replaceRegistry/kyverno-test.yaml b/test/cli/test-mutate/foreach/replaceRegistry/kyverno-test.yaml index 5f29762602..505772e098 100644 --- a/test/cli/test-mutate/foreach/replaceRegistry/kyverno-test.yaml +++ b/test/cli/test-mutate/foreach/replaceRegistry/kyverno-test.yaml @@ -1,12 +1,13 @@ -name: foreach-mutate -policies: - - policies.yaml -resources: - - resources.yaml -results: - - policy: replace-image-registry-containers - rule: set-default - resource: test-patched-image - patchedResource: pod-patched.yaml - kind: Pod - result: pass +name: foreach-mutate +policies: +- policies.yaml +resources: +- resources.yaml +results: +- kind: Pod + patchedResource: pod-patched.yaml + policy: replace-image-registry-containers + resources: + - test-patched-image + result: pass + rule: set-default diff --git a/test/cli/test-mutate/global-anchor/kyverno-test.yaml b/test/cli/test-mutate/global-anchor/kyverno-test.yaml index 923fcc8613..a8a4e1389f 100644 --- a/test/cli/test-mutate/global-anchor/kyverno-test.yaml +++ b/test/cli/test-mutate/global-anchor/kyverno-test.yaml @@ -1,28 +1,32 @@ name: validate-service-loadbalancer policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: add-safe-to-evict - rule: annotate-empty-dir - resource: pod-without-emptydir-hostpath - kind: Pod - result: skip - - policy: add-safe-to-evict - rule: annotate-empty-dir - resource: pod-with-emptydir-hostpath - patchedResource: patchedResource.yaml - kind: Pod - result: pass - - policy: add-safe-to-evict - rule: annotate-empty-dir - resource: pod-with-emptydir-hostpath-1 - patchedResource: patchedResourceWithVolume.yaml - kind: Pod - result: pass - - policy: add-safe-to-evict - rule: annotate-empty-dir - resource: pod-without-emptydir-hostpath-1 - kind: Pod - result: skip +- kind: Pod + policy: add-safe-to-evict + resources: + - pod-without-emptydir-hostpath + result: skip + rule: annotate-empty-dir +- kind: Pod + patchedResource: patchedResource.yaml + policy: add-safe-to-evict + resources: + - pod-with-emptydir-hostpath + result: pass + rule: annotate-empty-dir +- kind: Pod + patchedResource: patchedResourceWithVolume.yaml + policy: add-safe-to-evict + resources: + - pod-with-emptydir-hostpath-1 + result: pass + rule: annotate-empty-dir +- kind: Pod + policy: add-safe-to-evict + resources: + - pod-without-emptydir-hostpath-1 + result: skip + rule: annotate-empty-dir diff --git a/test/cli/test-mutate/kyverno-test.yaml b/test/cli/test-mutate/kyverno-test.yaml index ba829a7553..a6d4e326cf 100644 --- a/test/cli/test-mutate/kyverno-test.yaml +++ b/test/cli/test-mutate/kyverno-test.yaml @@ -1,90 +1,103 @@ name: add-nodeselector policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: add-label - rule: add-label - resource: resource-equal-to-patch-res-for-cp - patchedResource: patchedResource1.yaml - kind: Pod - namespace: practice - result: skip - - policy: add-label - rule: add-label - resource: same-name-but-diff-namespace - patchedResource: patchedResource2.yaml - kind: Pod - namespace: testing - result: pass - - policy: add-label - rule: add-label - resource: same-name-but-diff-namespace - patchedResource: patchedResource3.yaml - kind: Pod - namespace: production - result: pass - - policy: add-label - rule: add-label - resource: mydeploy - patchedResource: patchedResource4.yaml - kind: Deployment - result: pass - - policy: add-label - rule: add-label - resource: same-name-but-diff-kind - patchedResource: patchedResource5.yaml - kind: Service - result: skip - - policy: add-label - rule: add-label - resource: same-name-but-diff-kind - patchedResource: patchedResource6.yaml - kind: Pod - result: pass - - policy: add-ndots - rule: add-ndots - resource: resource-equal-to-patch-res-for-cp - namespace: practice - patchedResource: patchedResource7.yaml - kind: Pod - result: skip - - policy: add-ndots - rule: add-ndots - resource: same-name-but-diff-namespace - patchedResource: patchedResource8.yaml - namespace: testing - kind: Pod - result: pass - - policy: add-ndots - rule: add-ndots - resource: same-name-but-diff-namespace - patchedResource: patchedResource9.yaml - kind: Pod - namespace: production - result: skip - - policy: add-ndots - rule: add-ndots - resource: mydeploy - patchedResource: patchedResource10.yaml - kind: Deployment - result: skip - - policy: add-ndots - rule: add-ndots - resource: same-name-but-diff-kind - patchedResource: patchedResource5.yaml - kind: Service - result: skip - - policy: add-ndots - rule: add-ndots - resource: same-name-but-diff-kind - patchedResource: patchedResource11.yaml - kind: Pod - result: skip - - policy: example - rule: object_from_lists - resource: example - patchedResource: patched-resource.yaml - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + namespace: practice + patchedResource: patchedResource1.yaml + policy: add-label + resources: + - resource-equal-to-patch-res-for-cp + result: skip + rule: add-label +- kind: Pod + namespace: testing + patchedResource: patchedResource2.yaml + policy: add-label + resources: + - same-name-but-diff-namespace + result: pass + rule: add-label +- kind: Pod + namespace: production + patchedResource: patchedResource3.yaml + policy: add-label + resources: + - same-name-but-diff-namespace + result: pass + rule: add-label +- kind: Deployment + patchedResource: patchedResource4.yaml + policy: add-label + resources: + - mydeploy + result: pass + rule: add-label +- kind: Service + patchedResource: patchedResource5.yaml + policy: add-label + resources: + - same-name-but-diff-kind + result: skip + rule: add-label +- kind: Pod + patchedResource: patchedResource6.yaml + policy: add-label + resources: + - same-name-but-diff-kind + result: pass + rule: add-label +- kind: Pod + namespace: practice + patchedResource: patchedResource7.yaml + policy: add-ndots + resources: + - resource-equal-to-patch-res-for-cp + result: skip + rule: add-ndots +- kind: Pod + namespace: testing + patchedResource: patchedResource8.yaml + policy: add-ndots + resources: + - same-name-but-diff-namespace + result: pass + rule: add-ndots +- kind: Pod + namespace: production + patchedResource: patchedResource9.yaml + policy: add-ndots + resources: + - same-name-but-diff-namespace + result: skip + rule: add-ndots +- kind: Deployment + patchedResource: patchedResource10.yaml + policy: add-ndots + resources: + - mydeploy + result: skip + rule: add-ndots +- kind: Service + patchedResource: patchedResource5.yaml + policy: add-ndots + resources: + - same-name-but-diff-kind + result: skip + rule: add-ndots +- kind: Pod + patchedResource: patchedResource11.yaml + policy: add-ndots + resources: + - same-name-but-diff-kind + result: skip + rule: add-ndots +- kind: Pod + patchedResource: patched-resource.yaml + policy: example + resources: + - example + result: pass + rule: object_from_lists diff --git a/test/cli/test-mutate/patched-resource/kyverno-test.yaml b/test/cli/test-mutate/patched-resource/kyverno-test.yaml index 96bfa81d95..8dc3fc0c16 100644 --- a/test/cli/test-mutate/patched-resource/kyverno-test.yaml +++ b/test/cli/test-mutate/patched-resource/kyverno-test.yaml @@ -1,20 +1,25 @@ name: add-default-resources-test policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml -variables: variables.yaml +- resource.yaml results: - - policy: add-default-resources - rule: add-default-requests - resource: nginx-demo - patchedResource: patched-resource.yaml - kind: Pod - result: pass +- kind: Pod + patchedResource: patched-resource.yaml + policy: add-default-resources + resources: + - nginx-demo + result: pass + rule: add-default-requests values: + globalValues: null + namespaceSelector: null policies: - name: add-default-resources resources: - name: nginx-demo values: request.operation: CREATE + rules: null + subresources: null +variables: variables.yaml diff --git a/test/cli/test/admission_user_info/kyverno-test.yaml b/test/cli/test/admission_user_info/kyverno-test.yaml index b3accb44ce..dd4502054d 100644 --- a/test/cli/test/admission_user_info/kyverno-test.yaml +++ b/test/cli/test/admission_user_info/kyverno-test.yaml @@ -1,38 +1,43 @@ name: admission-user-info policies: - - disallow_latest_tag.yaml +- disallow_latest_tag.yaml resources: - - resource.yaml -userinfo: user_info.yaml - +- resource.yaml results: - - policy: disallow-latest-tag - rule: require-image-tag - resource: myapp-pod1 - kind: Pod - result: pass - - policy: disallow-latest-tag - rule: require-image-tag - resource: myapp-pod2 - kind: Pod - result: pass - - policy: disallow-latest-tag - rule: require-image-tag - resource: myapp-pod3 - kind: Pod - result: pass - - policy: disallow-latest-tag - rule: validate-image-tag - resource: myapp-pod1 - kind: Pod - result: pass - - policy: disallow-latest-tag - rule: validate-image-tag - resource: myapp-pod2 - kind: Pod - result: pass - - policy: disallow-latest-tag - rule: validate-image-tag - resource: myapp-pod3 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod1 + result: pass + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod2 + result: pass + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod3 + result: pass + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod1 + result: pass + rule: validate-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod2 + result: pass + rule: validate-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod3 + result: pass + rule: validate-image-tag +userinfo: user_info.yaml diff --git a/test/cli/test/any-all-wildcard/kyverno-test.yaml b/test/cli/test/any-all-wildcard/kyverno-test.yaml index f1c3edb755..2e81ddc5b1 100644 --- a/test/cli/test/any-all-wildcard/kyverno-test.yaml +++ b/test/cli/test/any-all-wildcard/kyverno-test.yaml @@ -1,24 +1,27 @@ name: disallow-protected-namespaces policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: disallow-protected-namespaces - rule: disallow - resource: test1 - kind: Pod - namespace: namespace1 - result: fail - - policy: disallow-protected-namespaces - rule: disallow - resource: test2 - kind: Pod - namespace: namespace2 - result: fail - - policy: disallow-protected-namespaces - rule: disallow - resource: test3 - kind: Pod - namespace: namespace3 - result: skip +- kind: Pod + namespace: namespace1 + policy: disallow-protected-namespaces + resources: + - test1 + result: fail + rule: disallow +- kind: Pod + namespace: namespace2 + policy: disallow-protected-namespaces + resources: + - test2 + result: fail + rule: disallow +- kind: Pod + namespace: namespace3 + policy: disallow-protected-namespaces + resources: + - test3 + result: skip + rule: disallow diff --git a/test/cli/test/any-namespaceSelector/kyverno-test.yaml b/test/cli/test/any-namespaceSelector/kyverno-test.yaml index e42d541d73..0e83c147cd 100644 --- a/test/cli/test/any-namespaceSelector/kyverno-test.yaml +++ b/test/cli/test/any-namespaceSelector/kyverno-test.yaml @@ -1,14 +1,14 @@ ---- name: enforce-pod-name policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml -variables: value.yaml +- resource.yaml results: - - policy: enforce-pod-name - rule: validate-name - resource: test-nginx - kind: Pod - namespace: test1 - result: pass +- kind: Pod + namespace: test1 + policy: enforce-pod-name + resources: + - test-nginx + result: pass + rule: validate-name +variables: value.yaml diff --git a/test/cli/test/anypattern_skip_error/kyverno-test.yaml b/test/cli/test/anypattern_skip_error/kyverno-test.yaml index af2264240d..0cc24551fc 100644 --- a/test/cli/test/anypattern_skip_error/kyverno-test.yaml +++ b/test/cli/test/anypattern_skip_error/kyverno-test.yaml @@ -1,26 +1,30 @@ name: validate-service-loadbalancer policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: validate-service-loadbalancer - rule: check-loadbalancer-public - resource: service-public-pass - kind: Service - result: pass - - policy: validate-service-loadbalancer - rule: check-loadbalancer-public - resource: service-public-2-pass - kind: Service - result: pass - - policy: validate-service-loadbalancer - rule: check-loadbalancer-public - resource: service-public-fail - kind: Service - result: fail - - policy: validate-service-loadbalancer - rule: check-loadbalancer-public - resource: service-clusterip-skip - kind: Service - result: skip +- kind: Service + policy: validate-service-loadbalancer + resources: + - service-public-pass + result: pass + rule: check-loadbalancer-public +- kind: Service + policy: validate-service-loadbalancer + resources: + - service-public-2-pass + result: pass + rule: check-loadbalancer-public +- kind: Service + policy: validate-service-loadbalancer + resources: + - service-public-fail + result: fail + rule: check-loadbalancer-public +- kind: Service + policy: validate-service-loadbalancer + resources: + - service-clusterip-skip + result: skip + rule: check-loadbalancer-public diff --git a/test/cli/test/autogen/kyverno-test.yaml b/test/cli/test/autogen/kyverno-test.yaml index bf19c8746f..6f44c29a81 100644 --- a/test/cli/test/autogen/kyverno-test.yaml +++ b/test/cli/test/autogen/kyverno-test.yaml @@ -1,60 +1,54 @@ +name: kyverno-test.yaml policies: - policy.yaml resources: - resources.yaml results: -# TEST: Pod with Labels Should Pass -- policy: require-common-labels - rule: check-for-labels +- kind: Pod + policy: require-common-labels + resources: + - pod-with-labels result: pass - kind: Pod - resource: pod-with-labels - -# TEST: Pod Missing Labels Should Fail -- policy: require-common-labels rule: check-for-labels +- kind: Pod + policy: require-common-labels + resources: + - pod-missing-labels result: fail - kind: Pod - resource: pod-missing-labels - -# TEST: Deployment with Labels Should Pass -- policy: require-common-labels rule: check-for-labels +- kind: Deployment + policy: require-common-labels + resources: + - deployment-with-labels result: pass - kind: Deployment - resource: deployment-with-labels - -# TEST: Deployment with Labels Should Fail -- policy: require-common-labels rule: check-for-labels +- kind: Deployment + policy: require-common-labels + resources: + - deployment-missing-labels result: fail - kind: Deployment - resource: deployment-missing-labels - -# TEST: StatefulSet with Labels Should Pass -- policy: require-common-labels rule: check-for-labels +- kind: StatefulSet + policy: require-common-labels + resources: + - StatefulSet-with-labels result: pass - kind: StatefulSet - resource: StatefulSet-with-labels - -# TEST: StatefulSet with Labels Should fail -- policy: require-common-labels rule: check-for-labels +- kind: StatefulSet + policy: require-common-labels + resources: + - StatefulSet-without-labels result: fail - kind: StatefulSet - resource: StatefulSet-without-labels - -# TEST: Cronjob with Labels Should pass -- policy: require-common-labels rule: check-for-labels +- kind: CronJob + policy: require-common-labels + resources: + - cronjob-with-labels result: pass - kind: CronJob - resource: cronjob-with-labels - -# TEST: Cronjob without Labels Should fail -- policy: require-common-labels rule: check-for-labels +- kind: CronJob + policy: require-common-labels + resources: + - cronjob-without-labels result: fail - kind: CronJob - resource: cronjob-without-labels + rule: check-for-labels diff --git a/test/cli/test/container_reorder/kyverno-test.yaml b/test/cli/test/container_reorder/kyverno-test.yaml index f83adcff50..d3498bef5e 100644 --- a/test/cli/test/container_reorder/kyverno-test.yaml +++ b/test/cli/test/container_reorder/kyverno-test.yaml @@ -1,16 +1,18 @@ -name: test-image-verify-signature -policies: - - policy.yml -resources: - - resources.yaml -results: - - policy: check-image - rule: verify-signature - resource: signed-first - kind: Pod - status: fail - - policy: check-image - rule: verify-signature - resource: unsigned-first - kind: Pod - status: fail \ No newline at end of file +name: test-image-verify-signature +policies: +- policy.yml +resources: +- resources.yaml +results: +- kind: Pod + policy: check-image + resources: + - signed-first + result: fail + rule: verify-signature +- kind: Pod + policy: check-image + resources: + - unsigned-first + result: fail + rule: verify-signature diff --git a/test/cli/test/context-entries/kyverno-test.yaml b/test/cli/test/context-entries/kyverno-test.yaml index 8cd50a1b90..059da13190 100644 --- a/test/cli/test/context-entries/kyverno-test.yaml +++ b/test/cli/test/context-entries/kyverno-test.yaml @@ -1,61 +1,72 @@ name: test-context-entries policies: - - policies.yaml +- policies.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: example - rule: defined-value - resource: example - kind: Pod - result: pass - - policy: example - rule: defined-jmespath - resource: example - kind: Pod - result: pass - - policy: example - rule: defined-jmespath-with-default - resource: example - kind: Pod - result: pass - - policy: example - rule: defined-value-with-variable - resource: example - kind: Pod - result: pass - - policy: example - rule: defined-jmespath-with-default-variable - resource: example - kind: Pod - result: pass - - policy: example - rule: defined-value-jmespath - resource: example - kind: Pod - result: pass - - policy: example - rule: defined-value-jmespath-variable - resource: example - kind: Pod - result: pass - - policy: example - rule: value-override - resource: example - kind: Pod - result: pass - - policy: example - rule: wildcard-match - resource: example - kind: Pod - result: pass - - policy: example - rule: items - resource: example - kind: Pod - result: pass - - policy: example - rule: unused-var - resource: example - kind: Pod - result: pass +- kind: Pod + policy: example + resources: + - example + result: pass + rule: defined-value +- kind: Pod + policy: example + resources: + - example + result: pass + rule: defined-jmespath +- kind: Pod + policy: example + resources: + - example + result: pass + rule: defined-jmespath-with-default +- kind: Pod + policy: example + resources: + - example + result: pass + rule: defined-value-with-variable +- kind: Pod + policy: example + resources: + - example + result: pass + rule: defined-jmespath-with-default-variable +- kind: Pod + policy: example + resources: + - example + result: pass + rule: defined-value-jmespath +- kind: Pod + policy: example + resources: + - example + result: pass + rule: defined-value-jmespath-variable +- kind: Pod + policy: example + resources: + - example + result: pass + rule: value-override +- kind: Pod + policy: example + resources: + - example + result: pass + rule: wildcard-match +- kind: Pod + policy: example + resources: + - example + result: pass + rule: items +- kind: Pod + policy: example + resources: + - example + result: pass + rule: unused-var diff --git a/test/cli/test/context-foreach/kyverno-test.yaml b/test/cli/test/context-foreach/kyverno-test.yaml index e12b0fbb47..6f2abb98cf 100644 --- a/test/cli/test/context-foreach/kyverno-test.yaml +++ b/test/cli/test/context-foreach/kyverno-test.yaml @@ -1,17 +1,19 @@ name: block-images policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml -variables: values.yaml +- resources.yaml results: -- policy: block-images - rule: block-images - resource: good-pod - kind: Pod +- kind: Pod + policy: block-images + resources: + - good-pod result: pass -- policy: block-images rule: block-images - resource: bad-pod - kind: Pod +- kind: Pod + policy: block-images + resources: + - bad-pod result: fail + rule: block-images +variables: values.yaml diff --git a/test/cli/test/custom-functions/kyverno-test.yaml b/test/cli/test/custom-functions/kyverno-test.yaml index 0c1c88be08..08cde1398f 100644 --- a/test/cli/test/custom-functions/kyverno-test.yaml +++ b/test/cli/test/custom-functions/kyverno-test.yaml @@ -1,67 +1,78 @@ name: test-custom-funcs policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: base64 - rule: secret-value-must-match-label - resource: base64-test-match - kind: Secret - status: pass - - policy: base64 - rule: secret-value-must-match-label - resource: base64-test-no-match - kind: Secret - status: fail - - policy: pattern-match - rule: label-must-match-pattern - resource: pattern-match-test-match - kind: Namespace - status: pass - - policy: pattern-match - rule: label-must-match-pattern - resource: pattern-match-test-no-match - kind: Namespace - status: fail - - policy: path-canonicalize - rule: disallow-mount-containerd-sock - resource: mount-containerd-sock - kind: Pod - status: fail - - policy: test-parse-json - rule: test-json-parsing-jmespath - resource: valid-test - kind: ConfigMap - result: pass - - policy: test-parse-json - rule: test-json-parsing-jmespath - resource: invalid-test - kind: ConfigMap - result: fail - - policy: test-parse-yaml - rule: test-yaml-parsing-jmespath - resource: valid-yaml-test - kind: ConfigMap - result: pass - - policy: test-parse-yaml - rule: test-yaml-parsing-jmespath - resource: invalid-yaml-test - kind: ConfigMap - result: fail - - policy: test-parse-yaml-array - rule: test-yaml-parsing-jmespath - resource: valid-yaml-test - kind: ConfigMap - result: pass - - policy: test-parse-yaml-array - rule: test-yaml-parsing-jmespath - resource: invalid-yaml-test - kind: ConfigMap - result: fail - - policy: test-x509-decode - rule: test-x509-decode - resource: test-x509-configmap - kind: ConfigMap - result: fail - \ No newline at end of file +- kind: Secret + policy: base64 + resources: + - base64-test-match + result: pass + rule: secret-value-must-match-label +- kind: Secret + policy: base64 + resources: + - base64-test-no-match + result: fail + rule: secret-value-must-match-label +- kind: Namespace + policy: pattern-match + resources: + - pattern-match-test-match + result: pass + rule: label-must-match-pattern +- kind: Namespace + policy: pattern-match + resources: + - pattern-match-test-no-match + result: fail + rule: label-must-match-pattern +- kind: Pod + policy: path-canonicalize + resources: + - mount-containerd-sock + result: fail + rule: disallow-mount-containerd-sock +- kind: ConfigMap + policy: test-parse-json + resources: + - valid-test + result: pass + rule: test-json-parsing-jmespath +- kind: ConfigMap + policy: test-parse-json + resources: + - invalid-test + result: fail + rule: test-json-parsing-jmespath +- kind: ConfigMap + policy: test-parse-yaml + resources: + - valid-yaml-test + result: pass + rule: test-yaml-parsing-jmespath +- kind: ConfigMap + policy: test-parse-yaml + resources: + - invalid-yaml-test + result: fail + rule: test-yaml-parsing-jmespath +- kind: ConfigMap + policy: test-parse-yaml-array + resources: + - valid-yaml-test + result: pass + rule: test-yaml-parsing-jmespath +- kind: ConfigMap + policy: test-parse-yaml-array + resources: + - invalid-yaml-test + result: fail + rule: test-yaml-parsing-jmespath +- kind: ConfigMap + policy: test-x509-decode + resources: + - test-x509-configmap + result: fail + rule: test-x509-decode diff --git a/test/cli/test/default_value_to_create/kyverno-test.yaml b/test/cli/test/default_value_to_create/kyverno-test.yaml index 5005e1937e..bd81ce4dab 100644 --- a/test/cli/test/default_value_to_create/kyverno-test.yaml +++ b/test/cli/test/default_value_to_create/kyverno-test.yaml @@ -1,16 +1,18 @@ name: psp-check-supplemental-groups policies: - - check-supplemental-groups.yaml +- check-supplemental-groups.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: psp-check-supplemental-groups - rule: supplementalgroup-ranges - resource: badpod01 - kind: Pod - result: fail - - policy: psp-check-supplemental-groups - rule: supplementalgroup-ranges - resource: goodpod01 - kind: Pod - result: pass \ No newline at end of file +- kind: Pod + policy: psp-check-supplemental-groups + resources: + - badpod01 + result: fail + rule: supplementalgroup-ranges +- kind: Pod + policy: psp-check-supplemental-groups + resources: + - goodpod01 + result: pass + rule: supplementalgroup-ranges diff --git a/test/cli/test/depecated_apis/kyverno-test.yaml b/test/cli/test/depecated_apis/kyverno-test.yaml index e3b3ed3ab6..d43d30d6e4 100644 --- a/test/cli/test/depecated_apis/kyverno-test.yaml +++ b/test/cli/test/depecated_apis/kyverno-test.yaml @@ -1,16 +1,18 @@ name: test-simple policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: check-deprecated-api - rule: validate-v1-25-removal - resource: hello - kind: CronJob - status: skip - - policy: check-deprecated-api - rule: validate-v1-25-removal - resource: hello-fail - kind: CronJob - status: warn \ No newline at end of file +- kind: CronJob + policy: check-deprecated-api + resources: + - hello + result: skip + rule: validate-v1-25-removal +- kind: CronJob + policy: check-deprecated-api + resources: + - hello-fail + result: warn + rule: validate-v1-25-removal diff --git a/test/cli/test/exec-subresource/kyverno-test.yaml b/test/cli/test/exec-subresource/kyverno-test.yaml index 48669ab1b9..59041c0dbd 100644 --- a/test/cli/test/exec-subresource/kyverno-test.yaml +++ b/test/cli/test/exec-subresource/kyverno-test.yaml @@ -1,30 +1,40 @@ name: deny-exec-by-pod-label policies: - - deny-exec-by-pod-label.yaml +- deny-exec-by-pod-label.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: deny-exec-by-pod-label - rule: deny-exec-by-label - resource: execpod - namespace: default - kind: PodExecOptions - result: fail +- kind: PodExecOptions + namespace: default + policy: deny-exec-by-pod-label + resources: + - execpod + result: fail + rule: deny-exec-by-label values: - policies: - - name: deny-exec-by-pod-label - rules: - - name: deny-exec-by-label - values: - podexeclabel: "false" globalValues: request.operation: CONNECT + namespaceSelector: null + policies: + - name: deny-exec-by-pod-label + resources: null + rules: + - foreachValues: null + name: deny-exec-by-label + values: + podexeclabel: "false" subresources: - - subresource: - name: "pods/exec" - kind: "PodExecOptions" - version: "v1" - parentResource: - name: "pods" - kind: "Pod" - version: "v1" \ No newline at end of file + - parentResource: + kind: Pod + name: pods + namespaced: false + singularName: "" + verbs: null + version: v1 + subresource: + kind: PodExecOptions + name: pods/exec + namespaced: false + singularName: "" + verbs: null + version: v1 diff --git a/test/cli/test/foreach-preconditions/kyverno-test.yaml b/test/cli/test/foreach-preconditions/kyverno-test.yaml index ff30d8e82f..a5a6f378a4 100644 --- a/test/cli/test/foreach-preconditions/kyverno-test.yaml +++ b/test/cli/test/foreach-preconditions/kyverno-test.yaml @@ -1,16 +1,18 @@ name: test-foreach-precondition policies: - - policies.yaml +- policies.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: enforce-limits-fraction - rule: check-memory-requests-limits - resource: frontend1 - kind: Pod - status: fail - - policy: enforce-limits-fraction - rule: check-memory-requests-limits - resource: frontend2 - kind: Pod - status: pass \ No newline at end of file +- kind: Pod + policy: enforce-limits-fraction + resources: + - frontend1 + result: fail + rule: check-memory-requests-limits +- kind: Pod + policy: enforce-limits-fraction + resources: + - frontend2 + result: pass + rule: check-memory-requests-limits diff --git a/test/cli/test/foreach/kyverno-test.yaml b/test/cli/test/foreach/kyverno-test.yaml index 84b2fb6a6c..9097da16d1 100644 --- a/test/cli/test/foreach/kyverno-test.yaml +++ b/test/cli/test/foreach/kyverno-test.yaml @@ -1,56 +1,66 @@ name: test-foreach policies: - - policies.yaml +- policies.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: validate-empty-dir-mountpath - rule: check-mount-paths - resource: test-pod - kind: Pod - status: pass - - policy: validate-empty-dir-mountpath - rule: check-mount-paths - resource: test-pod2 - kind: Pod - status: pass - - policy: validate-empty-dir-resources - rule: check-resources - resource: test-pod-bad-mount - kind: Pod - status: fail - - policy: validate-empty-dir-resources - rule: check-resources - resource: test-pod - kind: Pod - status: fail - - policy: validate-empty-dir-resources - rule: check-resources - resource: test-pod-with-resources - kind: Pod - status: pass - - policy: validate-empty-dir-resources - rule: check-resources - resource: test-pod-with-gke-vol - kind: Pod - status: skip - - policy: validate-empty-dir-resources - rule: check-resources - resource: test-pod-with-resources-multiple-ctnrs - kind: Pod - status: pass - - policy: validate-image-list - rule: check-image - resource: test-pod - kind: Pod - status: fail - - policy: validate-image-list - rule: check-image - resource: test-pod-ghcr - kind: Pod - status: fail - - policy: validate-image-list-error - rule: check-image - resource: test-pod-ghcr - kind: Pod - status: error +- kind: Pod + policy: validate-empty-dir-mountpath + resources: + - test-pod + result: pass + rule: check-mount-paths +- kind: Pod + policy: validate-empty-dir-mountpath + resources: + - test-pod2 + result: pass + rule: check-mount-paths +- kind: Pod + policy: validate-empty-dir-resources + resources: + - test-pod-bad-mount + result: fail + rule: check-resources +- kind: Pod + policy: validate-empty-dir-resources + resources: + - test-pod + result: fail + rule: check-resources +- kind: Pod + policy: validate-empty-dir-resources + resources: + - test-pod-with-resources + result: pass + rule: check-resources +- kind: Pod + policy: validate-empty-dir-resources + resources: + - test-pod-with-gke-vol + result: skip + rule: check-resources +- kind: Pod + policy: validate-empty-dir-resources + resources: + - test-pod-with-resources-multiple-ctnrs + result: pass + rule: check-resources +- kind: Pod + policy: validate-image-list + resources: + - test-pod + result: fail + rule: check-image +- kind: Pod + policy: validate-image-list + resources: + - test-pod-ghcr + result: fail + rule: check-image +- kind: Pod + policy: validate-image-list-error + resources: + - test-pod-ghcr + result: error + rule: check-image diff --git a/test/cli/test/images/digest/kyverno-test.yaml b/test/cli/test/images/digest/kyverno-test.yaml index df9b19862a..abc6ba41c4 100644 --- a/test/cli/test/images/digest/kyverno-test.yaml +++ b/test/cli/test/images/digest/kyverno-test.yaml @@ -1,18 +1,20 @@ name: test-image-digest policies: - - policies.yaml +- policies.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: require-image-digest - rule: check-digest - resource: no-digest - kind: Pod - namespace: test - status: fail - - policy: require-image-digest - rule: check-digest - resource: with-digest - kind: Pod - namespace: test - status: pass +- kind: Pod + namespace: test + policy: require-image-digest + resources: + - no-digest + result: fail + rule: check-digest +- kind: Pod + namespace: test + policy: require-image-digest + resources: + - with-digest + result: pass + rule: check-digest diff --git a/test/cli/test/images/secure-images/kyverno-test.yaml b/test/cli/test/images/secure-images/kyverno-test.yaml index e585738168..256a3aa477 100644 --- a/test/cli/test/images/secure-images/kyverno-test.yaml +++ b/test/cli/test/images/secure-images/kyverno-test.yaml @@ -1,11 +1,12 @@ -name: test-image-enforce-signatures -policies: - - policies.yaml -resources: - - resources.yaml -results: - - policy: secure-images - rule: enforce-signatures - resource: tomcat - kind: Pod - status: fail \ No newline at end of file +name: test-image-enforce-signatures +policies: +- policies.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: secure-images + resources: + - tomcat + result: fail + rule: enforce-signatures diff --git a/test/cli/test/images/signatures/kyverno-test.yaml b/test/cli/test/images/signatures/kyverno-test.yaml index c8a1e5dca6..a54c14e3fa 100644 --- a/test/cli/test/images/signatures/kyverno-test.yaml +++ b/test/cli/test/images/signatures/kyverno-test.yaml @@ -1,16 +1,18 @@ -name: test-image-signature -policies: - - policies.yaml -resources: - - resources.yaml -results: - - policy: verify-signature - rule: check-static-key - resource: signed - kind: Pod - status: pass - - policy: verify-signature - rule: check-static-key - resource: unsigned - kind: Pod - status: fail \ No newline at end of file +name: test-image-signature +policies: +- policies.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: verify-signature + resources: + - signed + result: pass + rule: check-static-key +- kind: Pod + policy: verify-signature + resources: + - unsigned + result: fail + rule: check-static-key diff --git a/test/cli/test/images/verify-signature/kyverno-test.yaml b/test/cli/test/images/verify-signature/kyverno-test.yaml index c4700f7870..6eb9ef7323 100644 --- a/test/cli/test/images/verify-signature/kyverno-test.yaml +++ b/test/cli/test/images/verify-signature/kyverno-test.yaml @@ -1,26 +1,30 @@ -name: test-image-verify-signature -policies: - - policies.yaml -resources: - - resources.yaml -results: - - policy: check-image - rule: verify-signature - resource: signed - kind: Pod - status: pass - - policy: check-image - rule: verify-signature - resource: unsigned - kind: Pod - status: fail - - policy: check-data-volume-image - rule: verify-signature - resource: signed-registry-image-datavolume - kind: DataVolume - status: pass - - policy: check-data-volume-image - rule: verify-signature - resource: unsigned-registry-image-datavolume - kind: DataVolume - status: fail \ No newline at end of file +name: test-image-verify-signature +policies: +- policies.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: check-image + resources: + - signed + result: pass + rule: verify-signature +- kind: Pod + policy: check-image + resources: + - unsigned + result: fail + rule: verify-signature +- kind: DataVolume + policy: check-data-volume-image + resources: + - signed-registry-image-datavolume + result: pass + rule: verify-signature +- kind: DataVolume + policy: check-data-volume-image + resources: + - unsigned-registry-image-datavolume + result: fail + rule: verify-signature diff --git a/test/cli/test/jmespath-brackets/kyverno-test.yaml b/test/cli/test/jmespath-brackets/kyverno-test.yaml index 6e431d745b..24e1e5060c 100644 --- a/test/cli/test/jmespath-brackets/kyverno-test.yaml +++ b/test/cli/test/jmespath-brackets/kyverno-test.yaml @@ -1,36 +1,42 @@ name: test-preconditions policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: test-jmespath - rule: test-jmespath - resource: test-valid1 - kind: Pod - status: pass - - policy: test-jmespath - rule: test-jmespath - resource: test-valid2 - kind: Pod - status: pass - - policy: test-jmespath - rule: test-jmespath - resource: test-valid3 - kind: Pod - status: pass - - policy: test-jmespath - rule: test-jmespath - resource: test-invalid - kind: Pod - status: fail - - policy: namespace-validation - rule: namespace-validation - resource: test-invalid - kind: Namespace - status: fail - - policy: namespace-validation - rule: namespace-validation - resource: test-valid - kind: Namespace - status: pass +- kind: Pod + policy: test-jmespath + resources: + - test-valid1 + result: pass + rule: test-jmespath +- kind: Pod + policy: test-jmespath + resources: + - test-valid2 + result: pass + rule: test-jmespath +- kind: Pod + policy: test-jmespath + resources: + - test-valid3 + result: pass + rule: test-jmespath +- kind: Pod + policy: test-jmespath + resources: + - test-invalid + result: fail + rule: test-jmespath +- kind: Namespace + policy: namespace-validation + resources: + - test-invalid + result: fail + rule: namespace-validation +- kind: Namespace + policy: namespace-validation + resources: + - test-valid + result: pass + rule: namespace-validation diff --git a/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml b/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml index ac1dca28ed..566881fb9c 100644 --- a/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml +++ b/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml @@ -1,19 +1,21 @@ name: limit-configmap-for-sa policies: - - limit_configmap_for_sa.yaml +- limit_configmap_for_sa.yaml resources: - - resource.yaml -variables: variables.yaml -userinfo: user_info.yaml +- resource.yaml results: - - policy: limit-configmap-for-sa - rule: limit-configmap-for-sa-developer - resource: any-configmap-name-good - kind: ConfigMap - namespace: any-namespace - result: fail - - policy: limit-configmap-for-sa - rule: limit-configmap-for-sa-developer - resource: any-configmap-name-bad - kind: ConfigMap - result: skip +- kind: ConfigMap + namespace: any-namespace + policy: limit-configmap-for-sa + resources: + - any-configmap-name-good + result: fail + rule: limit-configmap-for-sa-developer +- kind: ConfigMap + policy: limit-configmap-for-sa + resources: + - any-configmap-name-bad + result: skip + rule: limit-configmap-for-sa-developer +userinfo: user_info.yaml +variables: variables.yaml diff --git a/test/cli/test/manifests/verify-signature/kyverno-test.yaml b/test/cli/test/manifests/verify-signature/kyverno-test.yaml index 1edd7b54ad..93cfc6f67e 100644 --- a/test/cli/test/manifests/verify-signature/kyverno-test.yaml +++ b/test/cli/test/manifests/verify-signature/kyverno-test.yaml @@ -1,21 +1,24 @@ name: yaml-verification policies: - - policies.yaml +- policies.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: validate-yaml - rule: validate-yaml - resource: test-service # no signature - kind: Service - result: fail - - policy: validate-yaml - rule: validate-yaml - resource: test-service2 # one signature - kind: Service - result: pass - - policy: validate-yaml - rule: validate-yaml-multi-sig - resource: test-service3 # multi signature - kind: Service - result: pass \ No newline at end of file +- kind: Service + policy: validate-yaml + resources: + - test-service + result: fail + rule: validate-yaml +- kind: Service + policy: validate-yaml + resources: + - test-service2 + result: pass + rule: validate-yaml +- kind: Service + policy: validate-yaml + resources: + - test-service3 + result: pass + rule: validate-yaml-multi-sig diff --git a/test/cli/test/mixed/kyverno-test.yaml b/test/cli/test/mixed/kyverno-test.yaml index e4a38f2051..aad77ff9bb 100644 --- a/test/cli/test/mixed/kyverno-test.yaml +++ b/test/cli/test/mixed/kyverno-test.yaml @@ -1,32 +1,36 @@ name: ondemand policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: ondemand - rule: ondemand-nodeselector - resource: nodeselector-with-labels-on-mutation - patchedResource: patched-resource.yaml - namespace: user-space - kind: Pod - result: pass - - policy: ondemand - rule: ondemand-managed_by - resource: nodeselector-with-labels-on-mutation - namespace: user-space - kind: Pod - result: pass - - policy: ondemand - rule: ondemand-nodeselector - resource: nodeselector-without-labels-on-mutation - patchedResource: patched-resource1.yaml - namespace: user-foo - kind: Pod - result: skip - - policy: ondemand - rule: ondemand-managed_by - resource: nodeselector-without-labels-on-mutation - namespace: user-foo - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + namespace: user-space + patchedResource: patched-resource.yaml + policy: ondemand + resources: + - nodeselector-with-labels-on-mutation + result: pass + rule: ondemand-nodeselector +- kind: Pod + namespace: user-space + policy: ondemand + resources: + - nodeselector-with-labels-on-mutation + result: pass + rule: ondemand-managed_by +- kind: Pod + namespace: user-foo + patchedResource: patched-resource1.yaml + policy: ondemand + resources: + - nodeselector-without-labels-on-mutation + result: skip + rule: ondemand-nodeselector +- kind: Pod + namespace: user-foo + policy: ondemand + resources: + - nodeselector-without-labels-on-mutation + result: fail + rule: ondemand-managed_by diff --git a/test/cli/test/multiple_condition_keys/kyverno-test.yaml b/test/cli/test/multiple_condition_keys/kyverno-test.yaml index 2d6b63eb85..f99850ad76 100644 --- a/test/cli/test/multiple_condition_keys/kyverno-test.yaml +++ b/test/cli/test/multiple_condition_keys/kyverno-test.yaml @@ -1,17 +1,18 @@ name: test-simple policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: test-multiple-key - rule: test-multiple-key - resource: test-resource-pass - kind: Pod - status: pass - - policy: test-multiple-key - rule: test-multiple-key - resource: test-resource-fail - kind: Pod - status: fail - \ No newline at end of file +- kind: Pod + policy: test-multiple-key + resources: + - test-resource-pass + result: pass + rule: test-multiple-key +- kind: Pod + policy: test-multiple-key + resources: + - test-resource-fail + result: fail + rule: test-multiple-key diff --git a/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/kyverno-test.yaml b/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/kyverno-test.yaml index c6b13f2688..630b9d8ccc 100644 --- a/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/kyverno-test.yaml +++ b/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/kyverno-test.yaml @@ -1,17 +1,17 @@ name: exclude-namespaces-example policies: - - exclude_namespaces_dynamically.yaml +- exclude_namespaces_dynamically.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: exclude-namespaces-example - rule: exclude-namespaces-dynamically - resource: bad-pod01 - kind: Pod - result: pass - - policy: exclude-namespaces-example - rule: exclude-namespaces-dynamically - resource: bad-pod02 - kind: Pod - result: error \ No newline at end of file +- kind: Pod + policy: exclude-namespaces-example + resource: bad-pod01 + result: pass + rule: exclude-namespaces-dynamically +- kind: Pod + policy: exclude-namespaces-example + resource: bad-pod02 + result: error + rule: exclude-namespaces-dynamically +variables: values.yaml diff --git a/test/cli/test/nil-values-in-variables/limit-duration/kyverno-test.yaml b/test/cli/test/nil-values-in-variables/limit-duration/kyverno-test.yaml index 2b5ebc7346..85ad364ce3 100644 --- a/test/cli/test/nil-values-in-variables/limit-duration/kyverno-test.yaml +++ b/test/cli/test/nil-values-in-variables/limit-duration/kyverno-test.yaml @@ -1,16 +1,18 @@ name: limit-duration policies: - - limit-duration.yaml +- limit-duration.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: cert-manager-limit-duration - rule: certificate-duration-max-100days - resource: letsencrypt-crt - kind: Certificate - result: skip - - policy: cert-manager-limit-duration - rule: certificate-duration-max-100days - resource: acme-crt - kind: Certificate - result: error \ No newline at end of file +- kind: Certificate + policy: cert-manager-limit-duration + resources: + - letsencrypt-crt + result: skip + rule: certificate-duration-max-100days +- kind: Certificate + policy: cert-manager-limit-duration + resources: + - acme-crt + result: error + rule: certificate-duration-max-100days diff --git a/test/cli/test/node-status/kyverno-test.yaml b/test/cli/test/node-status/kyverno-test.yaml index 9a48da1bf0..e215be2b71 100644 --- a/test/cli/test/node-status/kyverno-test.yaml +++ b/test/cli/test/node-status/kyverno-test.yaml @@ -1,11 +1,12 @@ name: check-kernel policies: - - check_node_for_cve_2022_0185.yaml +- check_node_for_cve_2022_0185.yaml resources: - - resource.yaml +- resource.yaml results: -- policy: check-kernel +- kind: Node + policy: check-kernel + resources: + - test-check-kernel-version + result: pass rule: kernel-validate - resource: test-check-kernel-version - kind: Node - result: pass \ No newline at end of file diff --git a/test/cli/test/owner_references/kyverno-test.yaml b/test/cli/test/owner_references/kyverno-test.yaml index eb74ae6674..5845122f96 100644 --- a/test/cli/test/owner_references/kyverno-test.yaml +++ b/test/cli/test/owner_references/kyverno-test.yaml @@ -4,18 +4,21 @@ policies: resources: - resource.yaml results: -- policy: require-pod-probes - rule: require-pod-probes - resource: pod-fail - kind: Pod +- kind: Pod + policy: require-pod-probes + resources: + - pod-fail result: fail -- policy: require-pod-probes rule: require-pod-probes - resource: deployment-skip - kind: Deployment +- kind: Deployment + policy: require-pod-probes + resources: + - deployment-skip + result: skip + rule: require-pod-probes +- kind: CronJob + policy: require-pod-probes + resources: + - cronjob-skip result: skip -- policy: require-pod-probes rule: require-pod-probes - resource: cronjob-skip - kind: CronJob - result: skip \ No newline at end of file diff --git a/test/cli/test/policy-reports-skip-validation/kyverno-test.yaml b/test/cli/test/policy-reports-skip-validation/kyverno-test.yaml index 7e826a8234..bc4397c0ae 100644 --- a/test/cli/test/policy-reports-skip-validation/kyverno-test.yaml +++ b/test/cli/test/policy-reports-skip-validation/kyverno-test.yaml @@ -1,17 +1,19 @@ name: disallow-naked-pods policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: -- policy: disallow-naked-pods - rule: validate-naked-pods - resource: blank-skip - kind: Pod +- kind: Pod + policy: disallow-naked-pods + resources: + - blank-skip result: skip -- policy: disallow-naked-pods rule: validate-naked-pods - resource: blank-fail - kind: Pod +- kind: Pod + policy: disallow-naked-pods + resources: + - blank-fail result: fail + rule: validate-naked-pods +variables: values.yaml diff --git a/test/cli/test/preconditions/kyverno-test.yaml b/test/cli/test/preconditions/kyverno-test.yaml index c4223a478e..761e025ee3 100644 --- a/test/cli/test/preconditions/kyverno-test.yaml +++ b/test/cli/test/preconditions/kyverno-test.yaml @@ -1,16 +1,18 @@ name: test-preconditions policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: preconditions - rule: any-rule - resource: test-valid - kind: Pod - status: pass - - policy: preconditions - rule: any-rule - resource: test-invalid - kind: Pod - status: fail +- kind: Pod + policy: preconditions + resources: + - test-valid + result: pass + rule: any-rule +- kind: Pod + policy: preconditions + resources: + - test-invalid + result: fail + rule: any-rule diff --git a/test/cli/test/restrict_ingress_host/kyverno-test.yaml b/test/cli/test/restrict_ingress_host/kyverno-test.yaml index 707c224951..a8dab7f8f5 100644 --- a/test/cli/test/restrict_ingress_host/kyverno-test.yaml +++ b/test/cli/test/restrict_ingress_host/kyverno-test.yaml @@ -1,27 +1,31 @@ name: unique-ingress-host policies: - - restrict_ingress_host.yaml +- restrict_ingress_host.yaml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: unique-ingress-host - rule: check-single-host - resource: ingress-kyverno-host - kind: Ingress - result: fail - - policy: unique-ingress-host - rule: check-single-host - resource: ingress-foo-host - kind: Ingress - result: skip - - policy: unique-ingress-host - rule: deny-multiple-hosts - resource: ingress-kyverno-host - kind: Ingress - result: skip - - policy: unique-ingress-host - rule: deny-multiple-hosts - resource: ingress-foo-host - kind: Ingress - result: fail \ No newline at end of file +- kind: Ingress + policy: unique-ingress-host + resources: + - ingress-kyverno-host + result: fail + rule: check-single-host +- kind: Ingress + policy: unique-ingress-host + resources: + - ingress-foo-host + result: skip + rule: check-single-host +- kind: Ingress + policy: unique-ingress-host + resources: + - ingress-kyverno-host + result: skip + rule: deny-multiple-hosts +- kind: Ingress + policy: unique-ingress-host + resources: + - ingress-foo-host + result: fail + rule: deny-multiple-hosts +variables: values.yaml diff --git a/test/cli/test/scale-subresource/kyverno-test.yaml b/test/cli/test/scale-subresource/kyverno-test.yaml index efcd02f70f..f7dcf70a9c 100644 --- a/test/cli/test/scale-subresource/kyverno-test.yaml +++ b/test/cli/test/scale-subresource/kyverno-test.yaml @@ -1,13 +1,14 @@ name: enforce-replicas-for-scale-subresource policies: - - enforce-replicas-for-scale-subresource.yml +- enforce-replicas-for-scale-subresource.yml resources: - - resource.yaml -variables: values.yaml +- resource.yaml results: - - policy: enforce-replicas-for-scale-subresource - rule: validate-nginx-test - resource: nginx-test - namespace: default - kind: Scale - result: fail \ No newline at end of file +- kind: Scale + namespace: default + policy: enforce-replicas-for-scale-subresource + resources: + - nginx-test + result: fail + rule: validate-nginx-test +variables: values.yaml diff --git a/test/cli/test/secret/kyverno-test.yaml b/test/cli/test/secret/kyverno-test.yaml index dff3cfc798..70d04891e0 100644 --- a/test/cli/test/secret/kyverno-test.yaml +++ b/test/cli/test/secret/kyverno-test.yaml @@ -1,18 +1,20 @@ name: add-maintainer policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: add-maintainer - rule: add-maintainer - resource: example - patchedResource: patched-resource.yaml - kind: Secret - result: pass - - policy: add-maintainer - rule: add-maintainer - resource: secrete-fail-example - patchedResource: patched-resource1.yaml - kind: Secret - result: fail \ No newline at end of file +- kind: Secret + patchedResource: patched-resource.yaml + policy: add-maintainer + resources: + - example + result: pass + rule: add-maintainer +- kind: Secret + patchedResource: patched-resource1.yaml + policy: add-maintainer + resources: + - secrete-fail-example + result: fail + rule: add-maintainer diff --git a/test/cli/test/simple/kyverno-test.yaml b/test/cli/test/simple/kyverno-test.yaml index d2b497854b..be30048e89 100644 --- a/test/cli/test/simple/kyverno-test.yaml +++ b/test/cli/test/simple/kyverno-test.yaml @@ -1,95 +1,94 @@ name: test-simple policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml -variables: values.yaml +- resources.yaml results: - - policy: disallow-latest-tag - rule: require-image-tag - resource: test-require-image-tag-pass - kind: Pod - namespace: test - status: pass - - policy: disallow-latest-tag - rule: require-image-tag - resource: test-require-image-tag-fail - kind: Pod - namespace: test - status: fail - - policy: disallow-latest-tag - rule: validate-image-tag - resource: test-validate-image-tag-ignore - kind: Pod - status: skip - - policy: disallow-latest-tag - rule: validate-image-tag - resource: test-validate-image-tag-fail - namespace: test - kind: Pod - status: fail - - policy: disallow-latest-tag - rule: validate-image-tag - resource: test-validate-image-tag-pass - kind: Pod - namespace: test - status: pass - - policy: duration-test - rule: greater-than - resource: test-lifetime-fail - kind: Pod - namespace: test - status: fail - - policy: duration-test - rule: less-than - resource: test-lifetime-fail - kind: Pod - namespace: test - status: pass - - policy: duration-test - rule: greater-equal-than - resource: test-lifetime-fail - kind: Pod - namespace: test - status: fail - - policy: duration-test - rule: less-equal-than - resource: test-lifetime-fail - kind: Pod - namespace: test - status: pass - - - policy: restrict-pod-counts - rule: restrict-pod-count - resource: myapp-pod - kind: Pod - status: fail - - policy: restrict-pod-counts - rule: restrict-pod-count - resource: test-require-image-tag-pass - kind: Pod - namespace: test - status: fail - - policy: restrict-pod-counts - rule: restrict-pod-count - resource: test-require-image-tag-fail - kind: Pod - namespace: test - status: fail - - policy: restrict-pod-counts - rule: restrict-pod-count - resource: test-validate-image-tag-ignore - kind: Pod - status: fail - - policy: restrict-pod-counts - rule: restrict-pod-count - resource: test-validate-image-tag-fail - kind: Pod - namespace: test - status: fail - - policy: restrict-pod-counts - rule: restrict-pod-count - resource: test-validate-image-tag-pass - kind: Pod - namespace: test - status: fail \ No newline at end of file +- kind: Pod + namespace: test + policy: disallow-latest-tag + resource: test-require-image-tag-pass + result: pass + rule: require-image-tag +- kind: Pod + namespace: test + policy: disallow-latest-tag + resource: test-require-image-tag-fail + result: fail + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resource: test-validate-image-tag-ignore + result: skip + rule: validate-image-tag +- kind: Pod + namespace: test + policy: disallow-latest-tag + resource: test-validate-image-tag-fail + result: fail + rule: validate-image-tag +- kind: Pod + namespace: test + policy: disallow-latest-tag + resource: test-validate-image-tag-pass + result: pass + rule: validate-image-tag +- kind: Pod + namespace: test + policy: duration-test + resource: test-lifetime-fail + result: fail + rule: greater-than +- kind: Pod + namespace: test + policy: duration-test + resource: test-lifetime-fail + result: pass + rule: less-than +- kind: Pod + namespace: test + policy: duration-test + resource: test-lifetime-fail + result: fail + rule: greater-equal-than +- kind: Pod + namespace: test + policy: duration-test + resource: test-lifetime-fail + result: pass + rule: less-equal-than +- kind: Pod + policy: restrict-pod-counts + resource: myapp-pod + result: fail + rule: restrict-pod-count +- kind: Pod + namespace: test + policy: restrict-pod-counts + resource: test-require-image-tag-pass + result: fail + rule: restrict-pod-count +- kind: Pod + namespace: test + policy: restrict-pod-counts + resource: test-require-image-tag-fail + result: fail + rule: restrict-pod-count +- kind: Pod + policy: restrict-pod-counts + resource: test-validate-image-tag-ignore + result: fail + rule: restrict-pod-count +- kind: Pod + namespace: test + policy: restrict-pod-counts + resource: test-validate-image-tag-fail + result: fail + rule: restrict-pod-count +- kind: Pod + namespace: test + policy: restrict-pod-counts + resource: test-validate-image-tag-pass + result: fail + rule: restrict-pod-count +variables: values.yaml diff --git a/test/cli/test/unordered-context-variables/kyverno-test.yaml b/test/cli/test/unordered-context-variables/kyverno-test.yaml index 0061a84d2e..78007afc37 100644 --- a/test/cli/test/unordered-context-variables/kyverno-test.yaml +++ b/test/cli/test/unordered-context-variables/kyverno-test.yaml @@ -1,12 +1,13 @@ name: chained-variables policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml -variables: variables.yaml +- resource.yaml results: -- policy: deny-something +- kind: Pod + policy: deny-something + resources: + - valid-pod + result: pass rule: deny-everything - resource: valid-pod - kind: Pod - result: pass \ No newline at end of file +variables: variables.yaml diff --git a/test/cli/test/variables/kyverno-test.yaml b/test/cli/test/variables/kyverno-test.yaml index 56e6090d76..2da8ef288f 100644 --- a/test/cli/test/variables/kyverno-test.yaml +++ b/test/cli/test/variables/kyverno-test.yaml @@ -1,77 +1,90 @@ name: test-variables policies: - - cm-variable-example.yaml - - cm-multiple-example.yaml - - cm-array-example.yaml - - cm-blk-scalar-example.yaml - - cm-globalval-example.yaml - - image-example.yaml +- cm-variable-example.yaml +- cm-multiple-example.yaml +- cm-array-example.yaml +- cm-blk-scalar-example.yaml +- cm-globalval-example.yaml +- image-example.yaml resources: - - resources.yaml -variables: variables.yaml +- resources.yaml results: - - policy: cm-multiple-example - rule: example-configmap-lookup - resource: test-env-test - kind: Pod - result: pass - - policy: cm-multiple-example - rule: example-configmap-lookup - resource: test-env-dev - kind: Pod - result: fail - - policy: cm-variable-example - rule: example-configmap-lookup - resource: test-env-test - kind: Pod - result: pass - - policy: cm-variable-example - rule: example-configmap-lookup - resource: test-env-dev - kind: Pod - result: fail - - policy: cm-array-example - rule: validate-role-annotation - resource: test-web - kind: Pod - result: fail - - policy: cm-array-example - rule: validate-role-annotation - resource: test-app - kind: Pod - result: pass - - policy: cm-blk-scalar-example - rule: validate-blk-role-annotation - resource: test-blk-web - kind: Pod - result: fail - - policy: cm-blk-scalar-example - rule: validate-blk-role-annotation - resource: test-blk-app - kind: Pod - result: pass - - policy: cm-globalval-example - rule: validate-mode - resource: test-global-dev - kind: Pod - result: pass - - policy: cm-globalval-example - rule: validate-mode - resource: test-global-prod - kind: Pod - result: fail - - policy: images - rule: only-allow-trusted-images - resource: test-pod-with-non-root-user-image - kind: Pod - status: pass - - policy: images - rule: only-allow-trusted-images - resource: test-pod-with-trusted-registry - kind: Pod - status: pass - - policy: images - rule: only-allow-trusted-images - resource: test-pod-with-non-trusted-registry - kind: Pod - status: fail +- kind: Pod + policy: cm-multiple-example + resources: + - test-env-test + result: pass + rule: example-configmap-lookup +- kind: Pod + policy: cm-multiple-example + resources: + - test-env-dev + result: fail + rule: example-configmap-lookup +- kind: Pod + policy: cm-variable-example + resources: + - test-env-test + result: pass + rule: example-configmap-lookup +- kind: Pod + policy: cm-variable-example + resources: + - test-env-dev + result: fail + rule: example-configmap-lookup +- kind: Pod + policy: cm-array-example + resources: + - test-web + result: fail + rule: validate-role-annotation +- kind: Pod + policy: cm-array-example + resources: + - test-app + result: pass + rule: validate-role-annotation +- kind: Pod + policy: cm-blk-scalar-example + resources: + - test-blk-web + result: fail + rule: validate-blk-role-annotation +- kind: Pod + policy: cm-blk-scalar-example + resources: + - test-blk-app + result: pass + rule: validate-blk-role-annotation +- kind: Pod + policy: cm-globalval-example + resources: + - test-global-dev + result: pass + rule: validate-mode +- kind: Pod + policy: cm-globalval-example + resources: + - test-global-prod + result: fail + rule: validate-mode +- kind: Pod + policy: images + resources: + - test-pod-with-non-root-user-image + result: pass + rule: only-allow-trusted-images +- kind: Pod + policy: images + resources: + - test-pod-with-trusted-registry + result: pass + rule: only-allow-trusted-images +- kind: Pod + policy: images + resources: + - test-pod-with-non-trusted-registry + result: fail + rule: only-allow-trusted-images +variables: variables.yaml diff --git a/test/cli/test/wildcard_match_label_selector/kyverno-test.yaml b/test/cli/test/wildcard_match_label_selector/kyverno-test.yaml index 967a870fb8..cde729615f 100644 --- a/test/cli/test/wildcard_match_label_selector/kyverno-test.yaml +++ b/test/cli/test/wildcard_match_label_selector/kyverno-test.yaml @@ -1,31 +1,36 @@ name: wildcard-support-in-matchlabels policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: wildcard-support-in-matchlabels - rule: wildcard-label - resource: my-service-1 - kind: Pod - result: pass - - policy: wildcard-support-in-matchlabels - rule: label-end-with-test - resource: my-service-2 - kind: Pod - result: pass - - policy: wildcard-support-in-matchlabels - rule: label-end-with-test - resource: my-service-3 - kind: Pod - result: skip - - policy: wildcard-support-in-matchlabels - rule: label-start-with-test - resource: my-service-4 - kind: Pod - result: pass - - policy: wildcard-support-in-matchlabels - rule: label-start-with-test - resource: my-service-5 - kind: Pod - result: skip \ No newline at end of file +- kind: Pod + policy: wildcard-support-in-matchlabels + resources: + - my-service-1 + result: pass + rule: wildcard-label +- kind: Pod + policy: wildcard-support-in-matchlabels + resources: + - my-service-2 + result: pass + rule: label-end-with-test +- kind: Pod + policy: wildcard-support-in-matchlabels + resources: + - my-service-3 + result: skip + rule: label-end-with-test +- kind: Pod + policy: wildcard-support-in-matchlabels + resources: + - my-service-4 + result: pass + rule: label-start-with-test +- kind: Pod + policy: wildcard-support-in-matchlabels + resources: + - my-service-5 + result: skip + rule: label-start-with-test diff --git a/test/cli/test/wildcard_mutate/kyverno-test.yaml b/test/cli/test/wildcard_mutate/kyverno-test.yaml index 6520b88ed6..4448cbc76b 100644 --- a/test/cli/test/wildcard_mutate/kyverno-test.yaml +++ b/test/cli/test/wildcard_mutate/kyverno-test.yaml @@ -1,18 +1,20 @@ name: wildcard-support-in-matchlabels policies: - - policy.yaml +- policy.yaml resources: - - resources.yaml +- resources.yaml results: - - policy: mutate-wildcard - rule: mutate-wildcard - resource: wildcard-mutate - patchedResource: patchedResource.yaml - kind: Pod - result: pass - - policy: mutate-wildcard - rule: mutate-wildcard - resource: wildcard-mutate-fail - patchedResource: patchedResource1.yaml - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + patchedResource: patchedResource.yaml + policy: mutate-wildcard + resources: + - wildcard-mutate + result: pass + rule: mutate-wildcard +- kind: Pod + patchedResource: patchedResource1.yaml + policy: mutate-wildcard + resources: + - wildcard-mutate-fail + result: fail + rule: mutate-wildcard