feat: add fix test cli command (#8213)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

cmd/cli/kubectl-kyverno/fix/command.go

@@ -0,0 +1,21 @@
+package fix
+
+import (
+	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix/test"
+	"github.com/spf13/cobra"
+)
+
+func Command() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "fix",
+		Short:   "Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.",
+		Example: "",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+	cmd.AddCommand(
+		test.Command(),
+	)
+	return cmd
+}

cmd/cli/kubectl-kyverno/fix/test/command.go

@@ -0,0 +1,95 @@
+package test
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+	"sigs.k8s.io/yaml"
+)
+
+func Command() *cobra.Command {
+	var fileName string
+	var save bool
+	cmd := &cobra.Command{
+		Use:     "test",
+		Short:   "Fix inconsistencies and deprecated usage in Kyverno test files.",
+		Example: "",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			var testCases []testCase
+			for _, arg := range args {
+				tests, err := loadTests(arg, fileName)
+				if err != nil {
+					return err
+				}
+				testCases = append(testCases, tests...)
+			}
+			for _, testCase := range testCases {
+				fmt.Printf("Processing test file (%s)...", testCase.path)
+				fmt.Println()
+				if testCase.err != nil {
+					fmt.Printf("  ERROR: loading test file (%s): %s", testCase.path, testCase.err)
+					fmt.Println()
+					continue
+				}
+				test := testCase.test
+				needsSave := false
+				if test.Name == "" {
+					fmt.Println("  WARNING: name is not set")
+					test.Name = filepath.Base(testCase.path)
+					needsSave = true
+				}
+				if len(test.Policies) == 0 {
+					fmt.Println("  WARNING: test has no policies")
+				}
+				if len(test.Resources) == 0 {
+					fmt.Println("  WARNING: test has no policies")
+				}
+				for i := range test.Results {
+					result := &test.Results[i]
+					if result.Resource != "" && len(result.Resources) != 0 {
+						fmt.Println("  WARNING: test result should not use both `resource` and `resources` fields")
+					}
+					if result.Resource != "" {
+						fmt.Println("  WARNING: test result uses deprecated `resource` field, moving it into the `resources` field")
+						result.Resources = append(result.Resources, result.Resource)
+						result.Resource = ""
+						needsSave = true
+					}
+					if result.Status != "" && result.Result != "" {
+						fmt.Println("  ERROR: test result should not use both `status` and `result` fields")
+					}
+					if result.Status != "" && result.Result == "" {
+						fmt.Println("  WARNING: test result uses deprecated `status` field, moving it into the `result` field")
+						result.Result = result.Status
+						result.Status = ""
+						needsSave = true
+					}
+				}
+				if save && needsSave {
+					fmt.Printf("  Saving test file (%s)...", testCase.path)
+					fmt.Println()
+					yamlBytes, err := yaml.Marshal(test)
+					if err != nil {
+						fmt.Printf("    ERROR: converting test to yaml: %s", err)
+						fmt.Println()
+						continue
+					}
+					if err := os.WriteFile(testCase.path, yamlBytes, os.ModePerm); err != nil {
+						fmt.Printf("    ERROR: saving test file (%s): %s", testCase.path, err)
+						fmt.Println()
+						continue
+					}
+					fmt.Println("    OK")
+				}
+				fmt.Println()
+			}
+			fmt.Println("Done.")
+			return nil
+		},
+	}
+	cmd.Flags().StringVarP(&fileName, "file-name", "f", "kyverno-test.yaml", "Test filename")
+	cmd.Flags().BoolVar(&save, "save", false, "Save fixed file")
+	return cmd
+}

cmd/cli/kubectl-kyverno/fix/test/load.go

@@ -0,0 +1,61 @@
+package test
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
+	"k8s.io/apimachinery/pkg/util/yaml"
+)
+
+type testCase struct {
+	path string
+	test *api.Test
+	err  error
+}
+
+func loadTests(dirPath string, fileName string) ([]testCase, error) {
+	return loadLocalTest(filepath.Clean(dirPath), fileName)
+}
+
+func loadLocalTest(path string, fileName string) ([]testCase, error) {
+	var tests []testCase
+	files, err := os.ReadDir(path)
+	if err != nil {
+		return nil, err
+	}
+	for _, file := range files {
+		if file.IsDir() {
+			ps, err := loadLocalTest(filepath.Join(path, file.Name()), fileName)
+			if err != nil {
+				return nil, err
+			}
+			tests = append(tests, ps...)
+		} else if file.Name() == fileName {
+			tests = append(tests, loadTest(path, file.Name()))
+		}
+	}
+	return tests, nil
+}
+
+func loadTest(dirPath string, fileName string) testCase {
+	path := filepath.Join(dirPath, fileName)
+	yamlBytes, err := os.ReadFile(path) // #nosec G304
+	if err != nil {
+		return testCase{
+			path: path,
+			err:  err,
+		}
+	}
+	var test api.Test
+	if err := yaml.UnmarshalStrict(yamlBytes, &test); err != nil {
+		return testCase{
+			path: path,
+			err:  err,
+		}
+	}
+	return testCase{
+		path: path,
+		test: &test,
+	}
+}

cmd/cli/kubectl-kyverno/main.go

@@ -9,6 +9,7 @@ import (
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apply"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/create"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/docs"
+	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/jp"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/oci"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test"
@@ -58,6 +59,9 @@ func registerCommands(cli *cobra.Command) {
 		version.Command(),
 	)
 	if enableExperimental() {
-		cli.AddCommand(oci.Command())
+		cli.AddCommand(
+			fix.Command(),
+			oci.Command(),
+		)
 	}
 }

cmd/cli/kubectl-kyverno/test/api/types.go

@@ -10,10 +10,10 @@ type Test struct {
 	Name      string        `json:"name"`
 	Policies  []string      `json:"policies"`
 	Resources []string      `json:"resources"`
-	Variables string        `json:"variables"`
+	Variables string        `json:"variables,omitempty"`
-	UserInfo  string        `json:"userinfo"`
+	UserInfo  string        `json:"userinfo,omitempty"`
 	Results   []TestResults `json:"results"`
-	Values    *Values       `json:"values"`
+	Values    *Values       `json:"values,omitempty"`
 }
 
 type TestResults struct {
@@ -26,33 +26,33 @@ type TestResults struct {
 	// IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
 	// It's required in case policy is a validating admission policy.
 	// +optional
-	IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy"`
+	IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy,omitempty"`
 	// Result mentions the result that the user is expecting.
 	// Possible values are pass, fail and skip.
 	Result policyreportv1alpha2.PolicyResult `json:"result"`
 	// Status mentions the status that the user is expecting.
 	// Possible values are pass, fail and skip.
-	Status policyreportv1alpha2.PolicyResult `json:"status"`
+	Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"`
 	// Resource mentions the name of the resource on which the policy is to be applied.
-	Resource string `json:"resource"`
+	Resource string `json:"resource,omitempty"`
 	// Resources gives us the list of resources on which the policy is going to be applied.
 	Resources []string `json:"resources"`
 	// Kind mentions the kind of the resource on which the policy is to be applied.
 	Kind string `json:"kind"`
 	// Namespace mentions the namespace of the policy which has namespace scope.
-	Namespace string `json:"namespace"`
+	Namespace string `json:"namespace,omitempty"`
 	// PatchedResource takes a resource configuration file in yaml format from
 	// the user to compare it against the Kyverno mutated resource configuration.
-	PatchedResource string `json:"patchedResource"`
+	PatchedResource string `json:"patchedResource,omitempty"`
-	// AutoGeneratedRule is internally set by the CLI command. It takes values either
-	// autogen or autogen-cronjob.
-	AutoGeneratedRule string `json:"auto_generated_rule"`
 	// GeneratedResource takes a resource configuration file in yaml format from
 	// the user to compare it against the Kyverno generated resource configuration.
-	GeneratedResource string `json:"generatedResource"`
+	GeneratedResource string `json:"generatedResource,omitempty"`
 	// CloneSourceResource takes the resource configuration file in yaml format
 	// from the user which is meant to be cloned by the generate rule.
-	CloneSourceResource string `json:"cloneSourceResource"`
+	CloneSourceResource string `json:"cloneSourceResource,omitempty"`
+	// AutoGeneratedRule is internally set by the CLI command. It takes values either
+	// autogen or autogen-cronjob.
+	AutoGeneratedRule string `json:"auto_generated_rule,omitempty"`
 }
 
 type ReportResult struct {

docs/user/cli/kyverno.md

@@ -31,6 +31,7 @@ To enable experimental commands, KYVERNO_EXPERIMENTAL should be configured with
 * [kyverno completion](kyverno_completion.md)	 - Generate the autocompletion script for the specified shell
 * [kyverno create](kyverno_create.md)	 - Provides a command-line interface to help with the creation of various Kyverno resources.
 * [kyverno docs](kyverno_docs.md)	 - Generates documentation.
+* [kyverno fix](kyverno_fix.md)	 - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
 * [kyverno jp](kyverno_jp.md)	 - Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
 * [kyverno oci](kyverno_oci.md)	 - Pulls/pushes images that include policie(s) from/to OCI registries.
 * [kyverno test](kyverno_test.md)	 - Run tests from directory.

docs/user/cli/kyverno_fix.md

@@ -0,0 +1,37 @@
+## kyverno fix
+
+Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
+
+```
+kyverno fix [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for fix
+```
+
+### Options inherited from parent commands
+
+```
+      --add_dir_header                   If true, adds the file directory to the header of the log messages
+      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true)
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
+      --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
+      --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                      log to standard error instead of files (default true)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
+      --skip_headers                     If true, avoid header prefixes in the log messages
+      --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
+      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
+  -v, --v Level                          number for the log level verbosity
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+```
+
+### SEE ALSO
+
+* [kyverno](kyverno.md)	 - Kubernetes Native Policy Management
+* [kyverno fix test](kyverno_fix_test.md)	 - Fix inconsistencies and deprecated usage in Kyverno test files.
+

docs/user/cli/kyverno_fix_test.md

@@ -0,0 +1,38 @@
+## kyverno fix test
+
+Fix inconsistencies and deprecated usage in Kyverno test files.
+
+```
+kyverno fix test [flags]
+```
+
+### Options
+
+```
+  -f, --file-name string   Test filename (default "kyverno-test.yaml")
+  -h, --help               help for test
+      --save               Save fixed file
+```
+
+### Options inherited from parent commands
+
+```
+      --add_dir_header                   If true, adds the file directory to the header of the log messages
+      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true)
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
+      --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
+      --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                      log to standard error instead of files (default true)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
+      --skip_headers                     If true, avoid header prefixes in the log messages
+      --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
+      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
+  -v, --v Level                          number for the log level verbosity
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+```
+
+### SEE ALSO
+
+* [kyverno fix](kyverno_fix.md)	 - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
+

test/cli/registry/kyverno-test.yaml

@@ -1,21 +1,24 @@
 name: test-registry
 policies:
-  - image-example.yaml
+- image-example.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: images
+- kind: Pod
-    rule: only-allow-trusted-images
+  policy: images
-    resource: test-pod-with-non-root-user-image
+  resources:
-    kind: Pod
+  - test-pod-with-non-root-user-image
-    status: pass
+  result: pass
-  - policy: images
+  rule: only-allow-trusted-images
-    rule: only-allow-trusted-images
+- kind: Pod
-    resource: test-pod-with-trusted-registry
+  policy: images
-    kind: Pod
+  resources:
-    status: pass
+  - test-pod-with-trusted-registry
-  - policy: check-image-base
+  result: pass
-    rule: check-image-base-rule
+  rule: only-allow-trusted-images
-    resource: test-pod-with-trusted-registry
+- kind: Pod
-    kind: Pod
+  policy: check-image-base
-    status: pass
+  resources:
+  - test-pod-with-trusted-registry
+  result: pass
+  rule: check-image-base-rule

test/cli/scenarios_to_cli/other/scenario_mutate_endpoint/kyverno-test.yaml

@@ -1,12 +1,13 @@
 name: policy-endpoints
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: policy-endpoints
+- kind: Endpoints
-    rule: pEP
+  patchedResource: patchedresource.yaml
-    resource: test-endpoint
+  policy: policy-endpoints
-    patchedresource: patchedresource.yaml
+  resources:
-    kind: Endpoints
+  - test-endpoint
-    result: pass
+  result: pass
+  rule: pEP

test/cli/scenarios_to_cli/other/scenario_mutate_pod_spec/kyverno-test.yaml

@@ -1,12 +1,13 @@
 name: mutate-pods-spec
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: mutate-pods-spec
+- kind: Deployment
-    rule: disable-servicelink-and-token
+  patchedResource: patchedresource.yaml
-    resource: nginx-deployment
+  policy: mutate-pods-spec
-    patchedresource: patchedresource.yaml
+  resources:
-    kind: Deployment
+  - nginx-deployment
-    result: pass
+  result: pass
+  rule: disable-servicelink-and-token

test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: validate-default-proc-mount
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: validate-default-proc-mount
+- kind: Pod
-    rule: validate-default-proc-mount
+  policy: validate-default-proc-mount
-    resource: nginx-proc-mount
+  resources:
-    kind: Pod
+  - nginx-proc-mount
-    result: pass
+  result: pass
+  rule: validate-default-proc-mount

test/cli/scenarios_to_cli/other/scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: validate-disallow-default-serviceaccount
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: validate-disallow-default-serviceaccount
+- kind: Pod
-    rule: prevent-mounting-default-serviceaccount
+  policy: validate-disallow-default-serviceaccount
-    resource: pod-with-default-sa
+  resources:
-    kind: Pod
+  - pod-with-default-sa
-    result: fail
+  result: fail
+  rule: prevent-mounting-default-serviceaccount

test/cli/scenarios_to_cli/other/scenario_validate_healthChecks/kyverno-test.yaml

@@ -1,16 +1,18 @@
 name: check-probe-exists
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: check-probe-exists
+- kind: Pod
-    rule: check-readinessProbe-exists
+  policy: check-probe-exists
-    resource: probe
+  resources:
-    kind: Pod
+  - probe
-    result: pass
+  result: pass
-  - policy: check-probe-exists
+  rule: check-readinessProbe-exists
-    rule: check-livenessProbe-exists
+- kind: Pod
-    resource: probe
+  policy: check-probe-exists
-    kind: Pod
+  resources:
-    result: pass
+  - probe
+  result: pass
+  rule: check-livenessProbe-exists

test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: validate-selinux-options
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: validate-selinux-options
+- kind: Pod
-    rule: validate-selinux-options
+  policy: validate-selinux-options
-    resource: busybox-selinux
+  resources:
-    kind: Pod
+  - busybox-selinux
-    result: fail
+  result: fail
+  rule: validate-selinux-options

test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: validate-volumes-whitelist
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-- policy: validate-volumes-whitelist
+- kind: Pod
-  rule: validate-volumes-whitelist
+  policy: validate-volumes-whitelist
-  resource: test-volumes
+  resources:
-  kind: Pod
+  - test-volumes
   result: pass
+  rule: validate-volumes-whitelist

test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: restrict-ingress-classes
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: restrict-ingress-classes
+- kind: Ingress
-    rule: validate-ingress
+  policy: restrict-ingress-classes
-    resource: test-ingress
+  resources:
-    kind: Ingress
+  - test-ingress
-    result: pass
+  result: pass
+  rule: validate-ingress

test/cli/test-fail/invalid-ns/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: test-exclude
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: restrict-labels
+- kind: Namespace
-    rule: restrict-labels
+  policy: restrict-labels
-    resource: kyverno-system-tst
+  resources:
-    kind: Namespace
+  - kyverno-system-tst
-    result: fail
+  result: fail
+  rule: restrict-labels

test/cli/test-fail/missing-policy/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: test-simple
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: missing
+- kind: Pod
-    rule: validate-image-tag
+  policy: missing
-    resource: test
+  resources:
-    kind: Pod
+  - test
-    result: pass
+  result: pass
+  rule: validate-image-tag

test/cli/test-fail/missing-resource/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: test-simple
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: disallow-latest-tag
+- kind: Pod
-    rule: validate-image-tag
+  policy: disallow-latest-tag
-    resource: missing
+  resources:
-    kind: Pod
+  - missing
-    result: pass
+  result: pass
+  rule: validate-image-tag

test/cli/test-fail/missing-rule/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: test-simple
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: disallow-latest-tag
+- kind: Pod
-    rule: missing
+  policy: disallow-latest-tag
-    resource: test
+  resources:
-    kind: Pod
+  - test
-    status: pass
+  result: pass
+  rule: missing

test/cli/test-generate/add-network-policy/kyverno-test.yaml

@@ -1,12 +1,13 @@
 name: deny-all-traffic
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: add-networkpolicy
+- generatedResource: generatedResource.yaml
-    rule: default-deny
+  kind: Namespace
-    resource: hello-world-namespace
+  policy: add-networkpolicy
-    generatedResource: generatedResource.yaml
+  resources:
-    kind: Namespace
+  - hello-world-namespace
-    result: pass
+  result: pass
+  rule: default-deny

test/cli/test-generate/add-quota/kyverno-test.yaml

@@ -1,18 +1,20 @@
 name: add-quota
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: add-ns-quota
+- generatedResource: generatedResourceQuota.yaml
-    rule: generate-resourcequota
+  kind: Namespace
-    resource: hello-world-namespace
+  policy: add-ns-quota
-    generatedResource: generatedResourceQuota.yaml
+  resources:
-    kind: Namespace
+  - hello-world-namespace
-    result: pass
+  result: pass
-  - policy: add-ns-quota
+  rule: generate-resourcequota
-    rule: generate-limitrange
+- generatedResource: generatedLimitRange.yaml
-    resource: hello-world-namespace
+  kind: Namespace
-    generatedResource: generatedLimitRange.yaml
+  policy: add-ns-quota
-    kind: Namespace
+  resources:
-    result: pass
+  - hello-world-namespace
+  result: pass
+  rule: generate-limitrange

test/cli/test-generate/create-default-pdb/kyverno-test.yaml

@@ -1,13 +1,14 @@
 name: pdb-test
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: create-default-pdb
+- generatedResource: generatedResource.yaml
-    rule: create-default-pdb
+  kind: Deployment
-    resource: nginx-deployment
+  namespace: hello-world
-    generatedResource: generatedResource.yaml
+  policy: create-default-pdb
-    kind: Deployment
+  resources:
-    result: pass
+  - nginx-deployment
-    namespace: hello-world
+  result: pass
+  rule: create-default-pdb

test/cli/test-generate/multiple-resources/kyverno-test.yaml

@@ -1,18 +1,20 @@
 name: multiple-resources
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: test-policy
+- generatedResource: generated-resource-1.yaml
-    rule: rule
+  kind: Deployment
-    resource: resource-a
+  policy: test-policy
-    generatedResource: generated-resource-1.yaml
+  resources:
-    kind: Deployment
+  - resource-a
-    result: pass
+  result: pass
-  - policy: test-policy
+  rule: rule
-    rule: rule
+- generatedResource: generated-resource-2.yaml
-    resource: resource-b
+  kind: Deployment
-    generatedResource: generated-resource-2.yaml
+  policy: test-policy
-    kind: Deployment
+  resources:
-    result: pass
+  - resource-b
+  result: pass
+  rule: rule

test/cli/test-generate/sync-secrets/kyverno-test.yaml

@@ -1,13 +1,14 @@
 name: sync-secrets
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: sync-secrets
+- cloneSourceResource: cloneSourceResource.yaml
-    rule: sync-image-pull-secret
+  generatedResource: generatedResource.yaml
-    resource: hello-world-namespace
+  kind: Namespace
-    generatedResource: generatedResource.yaml
+  policy: sync-secrets
-    cloneSourceResource: cloneSourceResource.yaml
+  resources:
-    kind: Namespace
+  - hello-world-namespace
-    result: pass
+  result: pass
+  rule: sync-image-pull-secret

test/cli/test-mutate/foreach/addIfNotPresent/kyverno-test.yaml

@@ -1,12 +1,13 @@
-name: foreach-mutate
+name: foreach-mutate
-policies:
+policies:
-  - policies.yaml
+- policies.yaml
-resources:
+resources:
-  - resources.yaml
+- resources.yaml
-results:
+results:
-  - policy: mutate-emptydir
+- kind: Deployment
-    rule: setDefault
+  patchedResource: deploy-patched.yaml
-    resource: svc-sizelimit-test
+  policy: mutate-emptydir
-    patchedResource: deploy-patched.yaml
+  resources:
-    kind: Deployment
+  - svc-sizelimit-test
-    result: pass
+  result: pass
+  rule: setDefault

test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml

@@ -1,12 +1,13 @@
 name: foreach-mutate
 policies:
-  - policies.yaml
+- policies.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: add-default-resources
+- kind: Pod
-    rule: add-default-requests
+  patchedResource: patched.yaml
-    resource: badpod
+  policy: add-default-resources
-    patchedResource: patched.yaml
+  resources:
-    kind: Pod
+  - badpod
-    result: pass
+  result: pass
+  rule: add-default-requests

test/cli/test-mutate/foreach/kyverno-test.yaml

@@ -1,19 +1,21 @@
 name: foreach-mutate
 policies:
-  - policies.yaml
+- policies.yaml
 resources:
-  - resources.yaml
+- resources.yaml
-variables: values.yaml
 results:
-  - policy: foreach-json-patch
+- kind: Pod
-    rule: add-security-context
+  patchedResource: patched-resource.yaml
-    resource: nginx
+  policy: foreach-json-patch
-    patchedResource: patched-resource.yaml
+  resources:
-    kind: Pod
+  - nginx
-    result: pass
+  result: pass
-  - policy: mutate-images
+  rule: add-security-context
-    rule: test
+- kind: Pod
-    resource: mypod
+  patchedResource: pod-updated-image.yaml
-    patchedResource: pod-updated-image.yaml
+  policy: mutate-images
-    kind: Pod
+  resources:
-    result: pass
+  - mypod
+  result: pass
+  rule: test
+variables: values.yaml

test/cli/test-mutate/foreach/replaceRegistry/kyverno-test.yaml

@@ -1,12 +1,13 @@
-name: foreach-mutate
+name: foreach-mutate
-policies:
+policies:
-  - policies.yaml
+- policies.yaml
-resources:
+resources:
-  - resources.yaml
+- resources.yaml
-results:
+results:
-  - policy: replace-image-registry-containers
+- kind: Pod
-    rule: set-default
+  patchedResource: pod-patched.yaml
-    resource: test-patched-image
+  policy: replace-image-registry-containers
-    patchedResource: pod-patched.yaml
+  resources:
-    kind: Pod
+  - test-patched-image
-    result: pass
+  result: pass
+  rule: set-default

test/cli/test-mutate/global-anchor/kyverno-test.yaml

@@ -1,28 +1,32 @@
 name: validate-service-loadbalancer
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: add-safe-to-evict
+- kind: Pod
-    rule: annotate-empty-dir
+  policy: add-safe-to-evict
-    resource: pod-without-emptydir-hostpath
+  resources:
-    kind: Pod
+  - pod-without-emptydir-hostpath
-    result: skip
+  result: skip
-  - policy: add-safe-to-evict
+  rule: annotate-empty-dir
-    rule: annotate-empty-dir
+- kind: Pod
-    resource: pod-with-emptydir-hostpath
+  patchedResource: patchedResource.yaml
-    patchedResource: patchedResource.yaml
+  policy: add-safe-to-evict
-    kind: Pod
+  resources:
-    result: pass
+  - pod-with-emptydir-hostpath
-  - policy: add-safe-to-evict
+  result: pass
-    rule: annotate-empty-dir
+  rule: annotate-empty-dir
-    resource: pod-with-emptydir-hostpath-1
+- kind: Pod
-    patchedResource: patchedResourceWithVolume.yaml
+  patchedResource: patchedResourceWithVolume.yaml
-    kind: Pod
+  policy: add-safe-to-evict
-    result: pass
+  resources:
-  - policy: add-safe-to-evict
+  - pod-with-emptydir-hostpath-1
-    rule: annotate-empty-dir
+  result: pass
-    resource: pod-without-emptydir-hostpath-1
+  rule: annotate-empty-dir
-    kind: Pod
+- kind: Pod
-    result: skip
+  policy: add-safe-to-evict
+  resources:
+  - pod-without-emptydir-hostpath-1
+  result: skip
+  rule: annotate-empty-dir

test/cli/test-mutate/kyverno-test.yaml

@@ -1,90 +1,103 @@
 name: add-nodeselector
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: add-label
+- kind: Pod
-    rule: add-label
+  namespace: practice
-    resource: resource-equal-to-patch-res-for-cp
+  patchedResource: patchedResource1.yaml
-    patchedResource: patchedResource1.yaml
+  policy: add-label
-    kind: Pod
+  resources:
-    namespace: practice
+  - resource-equal-to-patch-res-for-cp
-    result: skip
+  result: skip
-  - policy: add-label
+  rule: add-label
-    rule: add-label
+- kind: Pod
-    resource: same-name-but-diff-namespace
+  namespace: testing
-    patchedResource: patchedResource2.yaml
+  patchedResource: patchedResource2.yaml
-    kind: Pod
+  policy: add-label
-    namespace: testing
+  resources:
-    result: pass
+  - same-name-but-diff-namespace
-  - policy: add-label
+  result: pass
-    rule: add-label
+  rule: add-label
-    resource: same-name-but-diff-namespace
+- kind: Pod
-    patchedResource: patchedResource3.yaml
+  namespace: production
-    kind: Pod
+  patchedResource: patchedResource3.yaml
-    namespace: production
+  policy: add-label
-    result: pass
+  resources:
-  - policy: add-label
+  - same-name-but-diff-namespace
-    rule: add-label
+  result: pass
-    resource: mydeploy
+  rule: add-label
-    patchedResource: patchedResource4.yaml
+- kind: Deployment
-    kind: Deployment
+  patchedResource: patchedResource4.yaml
-    result: pass
+  policy: add-label
-  - policy: add-label
+  resources:
-    rule: add-label
+  - mydeploy
-    resource: same-name-but-diff-kind
+  result: pass
-    patchedResource: patchedResource5.yaml
+  rule: add-label
-    kind: Service
+- kind: Service
-    result: skip
+  patchedResource: patchedResource5.yaml
-  - policy: add-label
+  policy: add-label
-    rule: add-label
+  resources:
-    resource: same-name-but-diff-kind
+  - same-name-but-diff-kind
-    patchedResource: patchedResource6.yaml
+  result: skip
-    kind: Pod
+  rule: add-label
-    result: pass
+- kind: Pod
-  - policy: add-ndots
+  patchedResource: patchedResource6.yaml
-    rule: add-ndots
+  policy: add-label
-    resource: resource-equal-to-patch-res-for-cp
+  resources:
-    namespace: practice
+  - same-name-but-diff-kind
-    patchedResource: patchedResource7.yaml
+  result: pass
-    kind: Pod
+  rule: add-label
-    result: skip
+- kind: Pod
-  - policy: add-ndots
+  namespace: practice
-    rule: add-ndots
+  patchedResource: patchedResource7.yaml
-    resource: same-name-but-diff-namespace
+  policy: add-ndots
-    patchedResource: patchedResource8.yaml
+  resources:
-    namespace: testing
+  - resource-equal-to-patch-res-for-cp
-    kind: Pod
+  result: skip
-    result: pass
+  rule: add-ndots
-  - policy: add-ndots
+- kind: Pod
-    rule: add-ndots
+  namespace: testing
-    resource: same-name-but-diff-namespace
+  patchedResource: patchedResource8.yaml
-    patchedResource: patchedResource9.yaml
+  policy: add-ndots
-    kind: Pod
+  resources:
-    namespace: production
+  - same-name-but-diff-namespace
-    result: skip
+  result: pass
-  - policy: add-ndots
+  rule: add-ndots
-    rule: add-ndots
+- kind: Pod
-    resource: mydeploy
+  namespace: production
-    patchedResource: patchedResource10.yaml
+  patchedResource: patchedResource9.yaml
-    kind: Deployment
+  policy: add-ndots
-    result: skip
+  resources:
-  - policy: add-ndots
+  - same-name-but-diff-namespace
-    rule: add-ndots
+  result: skip
-    resource: same-name-but-diff-kind
+  rule: add-ndots
-    patchedResource: patchedResource5.yaml
+- kind: Deployment
-    kind: Service
+  patchedResource: patchedResource10.yaml
-    result: skip
+  policy: add-ndots
-  - policy: add-ndots
+  resources:
-    rule: add-ndots
+  - mydeploy
-    resource: same-name-but-diff-kind
+  result: skip
-    patchedResource: patchedResource11.yaml
+  rule: add-ndots
-    kind: Pod
+- kind: Service
-    result: skip
+  patchedResource: patchedResource5.yaml
-  - policy: example
+  policy: add-ndots
-    rule: object_from_lists
+  resources:
-    resource: example
+  - same-name-but-diff-kind
-    patchedResource: patched-resource.yaml
+  result: skip
-    kind: Pod
+  rule: add-ndots
-    result: pass
+- kind: Pod
+  patchedResource: patchedResource11.yaml
+  policy: add-ndots
+  resources:
+  - same-name-but-diff-kind
+  result: skip
+  rule: add-ndots
+- kind: Pod
+  patchedResource: patched-resource.yaml
+  policy: example
+  resources:
+  - example
+  result: pass
+  rule: object_from_lists

test/cli/test-mutate/patched-resource/kyverno-test.yaml

@@ -1,20 +1,25 @@
 name: add-default-resources-test
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
-variables: variables.yaml
 results:
-  - policy: add-default-resources
+- kind: Pod
-    rule: add-default-requests
+  patchedResource: patched-resource.yaml
-    resource: nginx-demo
+  policy: add-default-resources
-    patchedResource: patched-resource.yaml
+  resources:
-    kind: Pod
+  - nginx-demo
-    result: pass
+  result: pass
+  rule: add-default-requests
 values:
+  globalValues: null
+  namespaceSelector: null
   policies:
   - name: add-default-resources
     resources:
     - name: nginx-demo
       values:
         request.operation: CREATE
+    rules: null
+  subresources: null
+variables: variables.yaml

test/cli/test/admission_user_info/kyverno-test.yaml

@@ -1,38 +1,43 @@
 name: admission-user-info
 policies:
-  -  disallow_latest_tag.yaml
+- disallow_latest_tag.yaml
 resources:
-  -  resource.yaml
+- resource.yaml
-userinfo: user_info.yaml
-
 results:
-  - policy: disallow-latest-tag
+- kind: Pod
-    rule: require-image-tag
+  policy: disallow-latest-tag
-    resource: myapp-pod1
+  resources:
-    kind: Pod
+  - myapp-pod1
-    result: pass
+  result: pass
-  - policy: disallow-latest-tag
+  rule: require-image-tag
-    rule: require-image-tag
+- kind: Pod
-    resource: myapp-pod2
+  policy: disallow-latest-tag
-    kind: Pod
+  resources:
-    result: pass
+  - myapp-pod2
-  - policy: disallow-latest-tag
+  result: pass
-    rule: require-image-tag
+  rule: require-image-tag
-    resource: myapp-pod3
+- kind: Pod
-    kind: Pod
+  policy: disallow-latest-tag
-    result: pass
+  resources:
-  - policy: disallow-latest-tag
+  - myapp-pod3
-    rule: validate-image-tag
+  result: pass
-    resource: myapp-pod1
+  rule: require-image-tag
-    kind: Pod
+- kind: Pod
-    result: pass
+  policy: disallow-latest-tag
-  - policy: disallow-latest-tag
+  resources:
-    rule: validate-image-tag
+  - myapp-pod1
-    resource: myapp-pod2
+  result: pass
-    kind: Pod
+  rule: validate-image-tag
-    result: pass
+- kind: Pod
-  - policy: disallow-latest-tag
+  policy: disallow-latest-tag
-    rule: validate-image-tag
+  resources:
-    resource: myapp-pod3
+  - myapp-pod2
-    kind: Pod
+  result: pass
-    result: pass
+  rule: validate-image-tag
+- kind: Pod
+  policy: disallow-latest-tag
+  resources:
+  - myapp-pod3
+  result: pass
+  rule: validate-image-tag
+userinfo: user_info.yaml

test/cli/test/any-all-wildcard/kyverno-test.yaml

@@ -1,24 +1,27 @@
 name: disallow-protected-namespaces
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: disallow-protected-namespaces
+- kind: Pod
-    rule: disallow
+  namespace: namespace1
-    resource: test1
+  policy: disallow-protected-namespaces
-    kind: Pod
+  resources:
-    namespace: namespace1
+  - test1
-    result: fail
+  result: fail
-  - policy: disallow-protected-namespaces
+  rule: disallow
-    rule: disallow
+- kind: Pod
-    resource: test2
+  namespace: namespace2
-    kind: Pod
+  policy: disallow-protected-namespaces
-    namespace: namespace2
+  resources:
-    result: fail
+  - test2
-  - policy: disallow-protected-namespaces
+  result: fail
-    rule: disallow
+  rule: disallow
-    resource: test3
+- kind: Pod
-    kind: Pod
+  namespace: namespace3
-    namespace: namespace3
+  policy: disallow-protected-namespaces
-    result: skip
+  resources:
+  - test3
+  result: skip
+  rule: disallow

test/cli/test/any-namespaceSelector/kyverno-test.yaml

@@ -1,14 +1,14 @@
----
 name: enforce-pod-name
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
-variables: value.yaml
 results:
-  - policy: enforce-pod-name
+- kind: Pod
-    rule: validate-name
+  namespace: test1
-    resource: test-nginx
+  policy: enforce-pod-name
-    kind: Pod
+  resources:
-    namespace: test1
+  - test-nginx
-    result: pass
+  result: pass
+  rule: validate-name
+variables: value.yaml

test/cli/test/anypattern_skip_error/kyverno-test.yaml

@@ -1,26 +1,30 @@
 name: validate-service-loadbalancer
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: validate-service-loadbalancer
+- kind: Service
-    rule: check-loadbalancer-public
+  policy: validate-service-loadbalancer
-    resource: service-public-pass
+  resources:
-    kind: Service
+  - service-public-pass
-    result: pass
+  result: pass
-  - policy: validate-service-loadbalancer
+  rule: check-loadbalancer-public
-    rule: check-loadbalancer-public
+- kind: Service
-    resource: service-public-2-pass
+  policy: validate-service-loadbalancer
-    kind: Service
+  resources:
-    result: pass
+  - service-public-2-pass
-  - policy: validate-service-loadbalancer
+  result: pass
-    rule: check-loadbalancer-public
+  rule: check-loadbalancer-public
-    resource: service-public-fail
+- kind: Service
-    kind: Service
+  policy: validate-service-loadbalancer
-    result: fail
+  resources:
-  - policy: validate-service-loadbalancer
+  - service-public-fail
-    rule: check-loadbalancer-public
+  result: fail
-    resource: service-clusterip-skip
+  rule: check-loadbalancer-public
-    kind: Service
+- kind: Service
-    result: skip
+  policy: validate-service-loadbalancer
+  resources:
+  - service-clusterip-skip
+  result: skip
+  rule: check-loadbalancer-public

test/cli/test/autogen/kyverno-test.yaml

@@ -1,60 +1,54 @@
+name: kyverno-test.yaml
 policies:
 - policy.yaml
 resources:
 - resources.yaml
 results:
-# TEST: Pod with Labels Should Pass
+- kind: Pod
-- policy: require-common-labels
+  policy: require-common-labels
-  rule: check-for-labels
+  resources:
+  - pod-with-labels
   result: pass
-  kind: Pod 
-  resource: pod-with-labels
-
-# TEST: Pod Missing Labels Should Fail
-- policy: require-common-labels
   rule: check-for-labels
+- kind: Pod
+  policy: require-common-labels
+  resources:
+  - pod-missing-labels
   result: fail
-  kind: Pod
-  resource: pod-missing-labels
-
-# TEST: Deployment with Labels Should Pass
-- policy: require-common-labels
   rule: check-for-labels
+- kind: Deployment
+  policy: require-common-labels
+  resources:
+  - deployment-with-labels
   result: pass
-  kind: Deployment
-  resource: deployment-with-labels
-
-# TEST: Deployment with Labels Should Fail
-- policy: require-common-labels
   rule: check-for-labels
+- kind: Deployment
+  policy: require-common-labels
+  resources:
+  - deployment-missing-labels
   result: fail
-  kind: Deployment
-  resource: deployment-missing-labels
-
-# TEST: StatefulSet with Labels Should Pass
-- policy: require-common-labels
   rule: check-for-labels
+- kind: StatefulSet
+  policy: require-common-labels
+  resources:
+  - StatefulSet-with-labels
   result: pass
-  kind: StatefulSet
-  resource: StatefulSet-with-labels
-
-# TEST: StatefulSet with Labels Should fail
-- policy: require-common-labels
   rule: check-for-labels
+- kind: StatefulSet
+  policy: require-common-labels
+  resources:
+  - StatefulSet-without-labels
   result: fail
-  kind: StatefulSet
-  resource: StatefulSet-without-labels
-
-# TEST: Cronjob with Labels Should pass
-- policy: require-common-labels
   rule: check-for-labels
+- kind: CronJob
+  policy: require-common-labels
+  resources:
+  - cronjob-with-labels
   result: pass
-  kind: CronJob
-  resource: cronjob-with-labels
-
-# TEST: Cronjob without Labels Should fail
-- policy: require-common-labels
   rule: check-for-labels
+- kind: CronJob
+  policy: require-common-labels
+  resources:
+  - cronjob-without-labels
   result: fail
-  kind: CronJob
+  rule: check-for-labels
-  resource: cronjob-without-labels

test/cli/test/container_reorder/kyverno-test.yaml

@@ -1,16 +1,18 @@
-name: test-image-verify-signature
+name: test-image-verify-signature
-policies:
+policies:
-  - policy.yml
+- policy.yml
-resources:
+resources:
-  - resources.yaml
+- resources.yaml
-results:
+results:
-  - policy: check-image
+- kind: Pod
-    rule: verify-signature
+  policy: check-image
-    resource: signed-first
+  resources:
-    kind: Pod
+  - signed-first
-    status: fail
+  result: fail
-  - policy: check-image
+  rule: verify-signature
-    rule: verify-signature
+- kind: Pod
-    resource: unsigned-first
+  policy: check-image
-    kind: Pod
+  resources:
-    status: fail
+  - unsigned-first
+  result: fail
+  rule: verify-signature

test/cli/test/context-entries/kyverno-test.yaml

@@ -1,61 +1,72 @@
 name: test-context-entries
 policies:
-  - policies.yaml
+- policies.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: example
+- kind: Pod
-    rule:  defined-value
+  policy: example
-    resource: example
+  resources:
-    kind: Pod
+  - example
-    result: pass
+  result: pass
-  - policy: example
+  rule: defined-value
-    rule:  defined-jmespath
+- kind: Pod
-    resource: example
+  policy: example
-    kind: Pod
+  resources:
-    result: pass
+  - example
-  - policy: example
+  result: pass
-    rule:  defined-jmespath-with-default
+  rule: defined-jmespath
-    resource: example
+- kind: Pod
-    kind: Pod
+  policy: example
-    result: pass
+  resources:
-  - policy: example
+  - example
-    rule:  defined-value-with-variable
+  result: pass
-    resource: example
+  rule: defined-jmespath-with-default
-    kind: Pod
+- kind: Pod
-    result: pass
+  policy: example
-  - policy: example
+  resources:
-    rule:  defined-jmespath-with-default-variable
+  - example
-    resource: example
+  result: pass
-    kind: Pod
+  rule: defined-value-with-variable
-    result: pass
+- kind: Pod
-  - policy: example
+  policy: example
-    rule:  defined-value-jmespath
+  resources:
-    resource: example
+  - example
-    kind: Pod
+  result: pass
-    result: pass
+  rule: defined-jmespath-with-default-variable
-  - policy: example
+- kind: Pod
-    rule:  defined-value-jmespath-variable
+  policy: example
-    resource: example
+  resources:
-    kind: Pod
+  - example
-    result: pass
+  result: pass
-  - policy: example
+  rule: defined-value-jmespath
-    rule:  value-override
+- kind: Pod
-    resource: example
+  policy: example
-    kind: Pod
+  resources:
-    result: pass
+  - example
-  - policy: example
+  result: pass
-    rule:  wildcard-match
+  rule: defined-value-jmespath-variable
-    resource: example
+- kind: Pod
-    kind: Pod
+  policy: example
-    result: pass
+  resources:
-  - policy: example
+  - example
-    rule:  items
+  result: pass
-    resource: example
+  rule: value-override
-    kind: Pod
+- kind: Pod
-    result: pass
+  policy: example
-  - policy: example
+  resources:
-    rule:  unused-var
+  - example
-    resource: example
+  result: pass
-    kind: Pod
+  rule: wildcard-match
-    result: pass
+- kind: Pod
+  policy: example
+  resources:
+  - example
+  result: pass
+  rule: items
+- kind: Pod
+  policy: example
+  resources:
+  - example
+  result: pass
+  rule: unused-var

test/cli/test/context-foreach/kyverno-test.yaml

@@ -1,17 +1,19 @@
 name: block-images
 policies:
-  -  policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
-variables: values.yaml
 results:
-- policy: block-images
+- kind: Pod
-  rule: block-images
+  policy: block-images
-  resource: good-pod
+  resources:
-  kind: Pod
+  - good-pod
   result: pass
-- policy: block-images
   rule: block-images
-  resource: bad-pod
+- kind: Pod
-  kind: Pod
+  policy: block-images
+  resources:
+  - bad-pod
   result: fail
+  rule: block-images
+variables: values.yaml

test/cli/test/custom-functions/kyverno-test.yaml

@@ -1,67 +1,78 @@
 name: test-custom-funcs
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: base64
+- kind: Secret
-    rule: secret-value-must-match-label
+  policy: base64
-    resource: base64-test-match
+  resources:
-    kind: Secret
+  - base64-test-match
-    status: pass
+  result: pass
-  - policy: base64
+  rule: secret-value-must-match-label
-    rule: secret-value-must-match-label
+- kind: Secret
-    resource: base64-test-no-match
+  policy: base64
-    kind: Secret
+  resources:
-    status: fail
+  - base64-test-no-match
-  - policy: pattern-match
+  result: fail
-    rule: label-must-match-pattern
+  rule: secret-value-must-match-label
-    resource: pattern-match-test-match
+- kind: Namespace
-    kind: Namespace
+  policy: pattern-match
-    status: pass
+  resources:
-  - policy: pattern-match
+  - pattern-match-test-match
-    rule: label-must-match-pattern
+  result: pass
-    resource: pattern-match-test-no-match
+  rule: label-must-match-pattern
-    kind: Namespace
+- kind: Namespace
-    status: fail
+  policy: pattern-match
-  - policy: path-canonicalize
+  resources:
-    rule: disallow-mount-containerd-sock
+  - pattern-match-test-no-match
-    resource: mount-containerd-sock
+  result: fail
-    kind: Pod
+  rule: label-must-match-pattern
-    status: fail
+- kind: Pod
-  - policy: test-parse-json
+  policy: path-canonicalize
-    rule: test-json-parsing-jmespath
+  resources:
-    resource: valid-test
+  - mount-containerd-sock
-    kind: ConfigMap
+  result: fail
-    result: pass
+  rule: disallow-mount-containerd-sock
-  - policy: test-parse-json
+- kind: ConfigMap
-    rule: test-json-parsing-jmespath
+  policy: test-parse-json
-    resource: invalid-test
+  resources:
-    kind: ConfigMap
+  - valid-test
-    result: fail
+  result: pass
-  - policy: test-parse-yaml
+  rule: test-json-parsing-jmespath
-    rule: test-yaml-parsing-jmespath
+- kind: ConfigMap
-    resource: valid-yaml-test
+  policy: test-parse-json
-    kind: ConfigMap
+  resources:
-    result: pass
+  - invalid-test
-  - policy: test-parse-yaml
+  result: fail
-    rule: test-yaml-parsing-jmespath
+  rule: test-json-parsing-jmespath
-    resource: invalid-yaml-test
+- kind: ConfigMap
-    kind: ConfigMap
+  policy: test-parse-yaml
-    result: fail
+  resources:
-  - policy: test-parse-yaml-array
+  - valid-yaml-test
-    rule: test-yaml-parsing-jmespath
+  result: pass
-    resource: valid-yaml-test
+  rule: test-yaml-parsing-jmespath
-    kind: ConfigMap
+- kind: ConfigMap
-    result: pass
+  policy: test-parse-yaml
-  - policy: test-parse-yaml-array
+  resources:
-    rule: test-yaml-parsing-jmespath
+  - invalid-yaml-test
-    resource: invalid-yaml-test
+  result: fail
-    kind: ConfigMap
+  rule: test-yaml-parsing-jmespath
-    result: fail
+- kind: ConfigMap
-  - policy: test-x509-decode
+  policy: test-parse-yaml-array
-    rule: test-x509-decode
+  resources:
-    resource: test-x509-configmap
+  - valid-yaml-test
-    kind: ConfigMap
+  result: pass
-    result: fail
+  rule: test-yaml-parsing-jmespath
-    
+- kind: ConfigMap
+  policy: test-parse-yaml-array
+  resources:
+  - invalid-yaml-test
+  result: fail
+  rule: test-yaml-parsing-jmespath
+- kind: ConfigMap
+  policy: test-x509-decode
+  resources:
+  - test-x509-configmap
+  result: fail
+  rule: test-x509-decode

test/cli/test/default_value_to_create/kyverno-test.yaml

@@ -1,16 +1,18 @@
 name: psp-check-supplemental-groups
 policies:
-  - check-supplemental-groups.yaml
+- check-supplemental-groups.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: psp-check-supplemental-groups
+- kind: Pod
-    rule: supplementalgroup-ranges
+  policy: psp-check-supplemental-groups
-    resource: badpod01
+  resources:
-    kind: Pod
+  - badpod01
-    result: fail
+  result: fail
-  - policy: psp-check-supplemental-groups
+  rule: supplementalgroup-ranges
-    rule: supplementalgroup-ranges
+- kind: Pod
-    resource: goodpod01
+  policy: psp-check-supplemental-groups
-    kind: Pod
+  resources:
-    result: pass
+  - goodpod01
+  result: pass
+  rule: supplementalgroup-ranges

test/cli/test/depecated_apis/kyverno-test.yaml

@@ -1,16 +1,18 @@
 name: test-simple
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: check-deprecated-api
+- kind: CronJob
-    rule: validate-v1-25-removal
+  policy: check-deprecated-api
-    resource: hello
+  resources:
-    kind: CronJob
+  - hello
-    status: skip
+  result: skip
-  - policy: check-deprecated-api
+  rule: validate-v1-25-removal
-    rule: validate-v1-25-removal
+- kind: CronJob
-    resource: hello-fail
+  policy: check-deprecated-api
-    kind: CronJob
+  resources:
-    status: warn
+  - hello-fail
+  result: warn
+  rule: validate-v1-25-removal

test/cli/test/exec-subresource/kyverno-test.yaml

@@ -1,30 +1,40 @@
 name: deny-exec-by-pod-label
 policies:
-  - deny-exec-by-pod-label.yaml
+- deny-exec-by-pod-label.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: deny-exec-by-pod-label
+- kind: PodExecOptions
-    rule: deny-exec-by-label
+  namespace: default
-    resource: execpod
+  policy: deny-exec-by-pod-label
-    namespace: default
+  resources:
-    kind: PodExecOptions
+  - execpod
-    result: fail
+  result: fail
+  rule: deny-exec-by-label
 values:
-  policies:
-    - name: deny-exec-by-pod-label
-      rules:
-        - name: deny-exec-by-label
-          values:
-            podexeclabel: "false"
   globalValues:
     request.operation: CONNECT
+  namespaceSelector: null
+  policies:
+  - name: deny-exec-by-pod-label
+    resources: null
+    rules:
+    - foreachValues: null
+      name: deny-exec-by-label
+      values:
+        podexeclabel: "false"
   subresources:
-    - subresource:
+  - parentResource:
-        name: "pods/exec"
+      kind: Pod
-        kind: "PodExecOptions"
+      name: pods
-        version: "v1"
+      namespaced: false
-      parentResource:
+      singularName: ""
-        name: "pods"
+      verbs: null
-        kind: "Pod"
+      version: v1
-        version: "v1"
+    subresource:
+      kind: PodExecOptions
+      name: pods/exec
+      namespaced: false
+      singularName: ""
+      verbs: null
+      version: v1

test/cli/test/foreach-preconditions/kyverno-test.yaml

@@ -1,16 +1,18 @@
 name: test-foreach-precondition
 policies:
-  - policies.yaml
+- policies.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: enforce-limits-fraction
+- kind: Pod
-    rule: check-memory-requests-limits
+  policy: enforce-limits-fraction
-    resource: frontend1
+  resources:
-    kind: Pod
+  - frontend1
-    status: fail
+  result: fail
-  - policy: enforce-limits-fraction
+  rule: check-memory-requests-limits
-    rule: check-memory-requests-limits
+- kind: Pod
-    resource: frontend2
+  policy: enforce-limits-fraction
-    kind: Pod
+  resources:
-    status: pass
+  - frontend2
+  result: pass
+  rule: check-memory-requests-limits

test/cli/test/foreach/kyverno-test.yaml

@@ -1,56 +1,66 @@
 name: test-foreach
 policies:
-  - policies.yaml
+- policies.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: validate-empty-dir-mountpath
+- kind: Pod
-    rule: check-mount-paths
+  policy: validate-empty-dir-mountpath
-    resource: test-pod
+  resources:
-    kind: Pod
+  - test-pod
-    status: pass
+  result: pass
-  - policy: validate-empty-dir-mountpath
+  rule: check-mount-paths
-    rule: check-mount-paths
+- kind: Pod
-    resource: test-pod2
+  policy: validate-empty-dir-mountpath
-    kind: Pod
+  resources:
-    status: pass
+  - test-pod2
-  - policy: validate-empty-dir-resources
+  result: pass
-    rule: check-resources
+  rule: check-mount-paths
-    resource: test-pod-bad-mount
+- kind: Pod
-    kind: Pod
+  policy: validate-empty-dir-resources
-    status: fail
+  resources:
-  - policy: validate-empty-dir-resources
+  - test-pod-bad-mount
-    rule: check-resources
+  result: fail
-    resource: test-pod
+  rule: check-resources
-    kind: Pod
+- kind: Pod
-    status: fail
+  policy: validate-empty-dir-resources
-  - policy: validate-empty-dir-resources
+  resources:
-    rule: check-resources
+  - test-pod
-    resource: test-pod-with-resources
+  result: fail
-    kind: Pod
+  rule: check-resources
-    status: pass
+- kind: Pod
-  - policy: validate-empty-dir-resources
+  policy: validate-empty-dir-resources
-    rule: check-resources
+  resources:
-    resource: test-pod-with-gke-vol
+  - test-pod-with-resources
-    kind: Pod
+  result: pass
-    status: skip
+  rule: check-resources
-  - policy: validate-empty-dir-resources
+- kind: Pod
-    rule: check-resources
+  policy: validate-empty-dir-resources
-    resource: test-pod-with-resources-multiple-ctnrs
+  resources:
-    kind: Pod
+  - test-pod-with-gke-vol
-    status: pass
+  result: skip
-  - policy: validate-image-list
+  rule: check-resources
-    rule: check-image
+- kind: Pod
-    resource: test-pod
+  policy: validate-empty-dir-resources
-    kind: Pod
+  resources:
-    status: fail
+  - test-pod-with-resources-multiple-ctnrs
-  - policy: validate-image-list
+  result: pass
-    rule: check-image
+  rule: check-resources
-    resource: test-pod-ghcr
+- kind: Pod
-    kind: Pod
+  policy: validate-image-list
-    status: fail
+  resources:
-  - policy: validate-image-list-error
+  - test-pod
-    rule: check-image
+  result: fail
-    resource: test-pod-ghcr
+  rule: check-image
-    kind: Pod
+- kind: Pod
-    status: error
+  policy: validate-image-list
+  resources:
+  - test-pod-ghcr
+  result: fail
+  rule: check-image
+- kind: Pod
+  policy: validate-image-list-error
+  resources:
+  - test-pod-ghcr
+  result: error
+  rule: check-image

test/cli/test/images/digest/kyverno-test.yaml

@@ -1,18 +1,20 @@
 name: test-image-digest
 policies:
-  - policies.yaml
+- policies.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: require-image-digest
+- kind: Pod
-    rule: check-digest
+  namespace: test
-    resource: no-digest
+  policy: require-image-digest
-    kind: Pod
+  resources:
-    namespace: test
+  - no-digest
-    status: fail
+  result: fail
-  - policy: require-image-digest
+  rule: check-digest
-    rule: check-digest
+- kind: Pod
-    resource: with-digest
+  namespace: test
-    kind: Pod
+  policy: require-image-digest
-    namespace: test
+  resources:
-    status: pass
+  - with-digest
+  result: pass
+  rule: check-digest

test/cli/test/images/secure-images/kyverno-test.yaml

@@ -1,11 +1,12 @@
-name: test-image-enforce-signatures
+name: test-image-enforce-signatures
-policies:
+policies:
-  - policies.yaml
+- policies.yaml
-resources:
+resources:
-  - resources.yaml
+- resources.yaml
-results:
+results:
-  - policy: secure-images
+- kind: Pod
-    rule: enforce-signatures
+  policy: secure-images
-    resource: tomcat
+  resources:
-    kind: Pod
+  - tomcat
-    status: fail
+  result: fail
+  rule: enforce-signatures

test/cli/test/images/signatures/kyverno-test.yaml

@@ -1,16 +1,18 @@
-name: test-image-signature
+name: test-image-signature
-policies:
+policies:
-  - policies.yaml
+- policies.yaml
-resources:
+resources:
-  - resources.yaml
+- resources.yaml
-results:
+results:
-  - policy: verify-signature
+- kind: Pod
-    rule: check-static-key
+  policy: verify-signature
-    resource: signed
+  resources:
-    kind: Pod
+  - signed
-    status: pass
+  result: pass
-  - policy: verify-signature
+  rule: check-static-key
-    rule: check-static-key
+- kind: Pod
-    resource: unsigned
+  policy: verify-signature
-    kind: Pod
+  resources:
-    status: fail
+  - unsigned
+  result: fail
+  rule: check-static-key

test/cli/test/images/verify-signature/kyverno-test.yaml

@@ -1,26 +1,30 @@
-name: test-image-verify-signature
+name: test-image-verify-signature
-policies:
+policies:
-  - policies.yaml
+- policies.yaml
-resources:
+resources:
-  - resources.yaml
+- resources.yaml
-results:
+results:
-  - policy: check-image
+- kind: Pod
-    rule: verify-signature
+  policy: check-image
-    resource: signed
+  resources:
-    kind: Pod
+  - signed
-    status: pass
+  result: pass
-  - policy: check-image
+  rule: verify-signature
-    rule: verify-signature
+- kind: Pod
-    resource: unsigned
+  policy: check-image
-    kind: Pod
+  resources:
-    status: fail
+  - unsigned
-  - policy: check-data-volume-image
+  result: fail
-    rule: verify-signature
+  rule: verify-signature
-    resource: signed-registry-image-datavolume
+- kind: DataVolume
-    kind: DataVolume
+  policy: check-data-volume-image
-    status: pass
+  resources:
-  - policy: check-data-volume-image
+  - signed-registry-image-datavolume
-    rule: verify-signature
+  result: pass
-    resource: unsigned-registry-image-datavolume
+  rule: verify-signature
-    kind: DataVolume
+- kind: DataVolume
-    status: fail
+  policy: check-data-volume-image
+  resources:
+  - unsigned-registry-image-datavolume
+  result: fail
+  rule: verify-signature

test/cli/test/jmespath-brackets/kyverno-test.yaml

@@ -1,36 +1,42 @@
 name: test-preconditions
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: test-jmespath
+- kind: Pod
-    rule: test-jmespath
+  policy: test-jmespath
-    resource: test-valid1
+  resources:
-    kind: Pod
+  - test-valid1
-    status: pass
+  result: pass
-  - policy: test-jmespath
+  rule: test-jmespath
-    rule: test-jmespath
+- kind: Pod
-    resource: test-valid2
+  policy: test-jmespath
-    kind: Pod
+  resources:
-    status: pass
+  - test-valid2
-  - policy: test-jmespath
+  result: pass
-    rule: test-jmespath
+  rule: test-jmespath
-    resource: test-valid3
+- kind: Pod
-    kind: Pod
+  policy: test-jmespath
-    status: pass
+  resources:
-  - policy: test-jmespath
+  - test-valid3
-    rule: test-jmespath
+  result: pass
-    resource: test-invalid
+  rule: test-jmespath
-    kind: Pod
+- kind: Pod
-    status: fail
+  policy: test-jmespath
-  - policy: namespace-validation
+  resources:
-    rule: namespace-validation
+  - test-invalid
-    resource: test-invalid
+  result: fail
-    kind: Namespace
+  rule: test-jmespath
-    status: fail
+- kind: Namespace
-  - policy: namespace-validation
+  policy: namespace-validation
-    rule: namespace-validation
+  resources:
-    resource: test-valid
+  - test-invalid
-    kind: Namespace
+  result: fail
-    status: pass
+  rule: namespace-validation
+- kind: Namespace
+  policy: namespace-validation
+  resources:
+  - test-valid
+  result: pass
+  rule: namespace-validation

test/cli/test/limit-configmap-for-sa/kyverno-test.yaml

@@ -1,19 +1,21 @@
 name: limit-configmap-for-sa
 policies:
-  - limit_configmap_for_sa.yaml
+- limit_configmap_for_sa.yaml
 resources:
-  - resource.yaml
+- resource.yaml
-variables: variables.yaml
-userinfo: user_info.yaml
 results:
-  - policy: limit-configmap-for-sa
+- kind: ConfigMap
-    rule: limit-configmap-for-sa-developer
+  namespace: any-namespace
-    resource: any-configmap-name-good
+  policy: limit-configmap-for-sa
-    kind: ConfigMap
+  resources:
-    namespace: any-namespace
+  - any-configmap-name-good
-    result: fail
+  result: fail
-  - policy: limit-configmap-for-sa
+  rule: limit-configmap-for-sa-developer
-    rule: limit-configmap-for-sa-developer
+- kind: ConfigMap
-    resource: any-configmap-name-bad
+  policy: limit-configmap-for-sa
-    kind: ConfigMap
+  resources:
-    result: skip
+  - any-configmap-name-bad
+  result: skip
+  rule: limit-configmap-for-sa-developer
+userinfo: user_info.yaml
+variables: variables.yaml

test/cli/test/manifests/verify-signature/kyverno-test.yaml

@@ -1,21 +1,24 @@
 name: yaml-verification
 policies:
-  - policies.yaml
+- policies.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: validate-yaml
+- kind: Service
-    rule: validate-yaml
+  policy: validate-yaml
-    resource: test-service # no signature
+  resources:
-    kind: Service
+  - test-service
-    result: fail
+  result: fail
-  - policy: validate-yaml
+  rule: validate-yaml
-    rule: validate-yaml
+- kind: Service
-    resource: test-service2 # one signature
+  policy: validate-yaml
-    kind: Service
+  resources:
-    result: pass
+  - test-service2
-  - policy: validate-yaml
+  result: pass
-    rule: validate-yaml-multi-sig
+  rule: validate-yaml
-    resource: test-service3 # multi signature
+- kind: Service
-    kind: Service
+  policy: validate-yaml
-    result: pass
+  resources:
+  - test-service3
+  result: pass
+  rule: validate-yaml-multi-sig

test/cli/test/mixed/kyverno-test.yaml

@@ -1,32 +1,36 @@
 name: ondemand
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-  - policy: ondemand
+- kind: Pod
-    rule: ondemand-nodeselector
+  namespace: user-space
-    resource: nodeselector-with-labels-on-mutation
+  patchedResource: patched-resource.yaml
-    patchedResource: patched-resource.yaml
+  policy: ondemand
-    namespace: user-space
+  resources:
-    kind: Pod
+  - nodeselector-with-labels-on-mutation
-    result: pass
+  result: pass
-  - policy: ondemand
+  rule: ondemand-nodeselector
-    rule: ondemand-managed_by
+- kind: Pod
-    resource: nodeselector-with-labels-on-mutation
+  namespace: user-space
-    namespace: user-space
+  policy: ondemand
-    kind: Pod
+  resources:
-    result: pass
+  - nodeselector-with-labels-on-mutation
-  - policy: ondemand
+  result: pass
-    rule: ondemand-nodeselector
+  rule: ondemand-managed_by
-    resource: nodeselector-without-labels-on-mutation
+- kind: Pod
-    patchedResource: patched-resource1.yaml
+  namespace: user-foo
-    namespace: user-foo
+  patchedResource: patched-resource1.yaml
-    kind: Pod
+  policy: ondemand
-    result: skip
+  resources:
-  - policy: ondemand
+  - nodeselector-without-labels-on-mutation
-    rule: ondemand-managed_by
+  result: skip
-    resource: nodeselector-without-labels-on-mutation
+  rule: ondemand-nodeselector
-    namespace: user-foo
+- kind: Pod
-    kind: Pod
+  namespace: user-foo
-    result: fail
+  policy: ondemand
+  resources:
+  - nodeselector-without-labels-on-mutation
+  result: fail
+  rule: ondemand-managed_by

test/cli/test/multiple_condition_keys/kyverno-test.yaml

@@ -1,17 +1,18 @@
 name: test-simple
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: test-multiple-key
+- kind: Pod
-    rule: test-multiple-key
+  policy: test-multiple-key
-    resource: test-resource-pass
+  resources:
-    kind: Pod
+  - test-resource-pass
-    status: pass
+  result: pass
-  - policy: test-multiple-key
+  rule: test-multiple-key
-    rule: test-multiple-key
+- kind: Pod
-    resource: test-resource-fail
+  policy: test-multiple-key
-    kind: Pod
+  resources:
-    status: fail
+  - test-resource-fail
-  
+  result: fail
+  rule: test-multiple-key

test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/kyverno-test.yaml

@@ -1,17 +1,17 @@
 name: exclude-namespaces-example
 policies:
-  - exclude_namespaces_dynamically.yaml
+- exclude_namespaces_dynamically.yaml
 resources:
-  - resource.yaml
+- resource.yaml
-variables: values.yaml
 results:
-  - policy: exclude-namespaces-example
+- kind: Pod
-    rule: exclude-namespaces-dynamically
+  policy: exclude-namespaces-example
-    resource: bad-pod01
+  resource: bad-pod01
-    kind: Pod
+  result: pass
-    result: pass
+  rule: exclude-namespaces-dynamically
-  - policy: exclude-namespaces-example
+- kind: Pod
-    rule: exclude-namespaces-dynamically
+  policy: exclude-namespaces-example
-    resource: bad-pod02
+  resource: bad-pod02
-    kind: Pod
+  result: error
-    result: error
+  rule: exclude-namespaces-dynamically
+variables: values.yaml

test/cli/test/nil-values-in-variables/limit-duration/kyverno-test.yaml

@@ -1,16 +1,18 @@
 name: limit-duration
 policies:
-  -  limit-duration.yaml
+- limit-duration.yaml
 resources:
-  -  resource.yaml
+- resource.yaml
 results:
-  - policy: cert-manager-limit-duration
+- kind: Certificate
-    rule: certificate-duration-max-100days 
+  policy: cert-manager-limit-duration
-    resource: letsencrypt-crt
+  resources:
-    kind: Certificate
+  - letsencrypt-crt
-    result: skip
+  result: skip
-  - policy: cert-manager-limit-duration
+  rule: certificate-duration-max-100days
-    rule: certificate-duration-max-100days 
+- kind: Certificate
-    resource: acme-crt
+  policy: cert-manager-limit-duration
-    kind: Certificate
+  resources:
-    result: error
+  - acme-crt
+  result: error
+  rule: certificate-duration-max-100days

test/cli/test/node-status/kyverno-test.yaml

@@ -1,11 +1,12 @@
 name: check-kernel
 policies:
-  - check_node_for_cve_2022_0185.yaml
+- check_node_for_cve_2022_0185.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-- policy: check-kernel
+- kind: Node
+  policy: check-kernel
+  resources:
+  - test-check-kernel-version
+  result: pass
   rule: kernel-validate
-  resource: test-check-kernel-version
-  kind: Node
-  result: pass

test/cli/test/owner_references/kyverno-test.yaml

@@ -4,18 +4,21 @@ policies:
 resources:
 - resource.yaml
 results:
-- policy: require-pod-probes
+- kind: Pod
-  rule: require-pod-probes
+  policy: require-pod-probes
-  resource: pod-fail
+  resources:
-  kind: Pod
+  - pod-fail
   result: fail
-- policy: require-pod-probes
   rule: require-pod-probes
-  resource: deployment-skip
+- kind: Deployment
-  kind: Deployment
+  policy: require-pod-probes
+  resources:
+  - deployment-skip
+  result: skip
+  rule: require-pod-probes
+- kind: CronJob
+  policy: require-pod-probes
+  resources:
+  - cronjob-skip
   result: skip
-- policy: require-pod-probes
   rule: require-pod-probes
-  resource: cronjob-skip
-  kind: CronJob
-  result: skip

test/cli/test/policy-reports-skip-validation/kyverno-test.yaml

@@ -1,17 +1,19 @@
 name: disallow-naked-pods
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
-variables: values.yaml
 results:
-- policy: disallow-naked-pods
+- kind: Pod
-  rule: validate-naked-pods
+  policy: disallow-naked-pods
-  resource: blank-skip
+  resources:
-  kind: Pod
+  - blank-skip
   result: skip
-- policy: disallow-naked-pods
   rule: validate-naked-pods
-  resource: blank-fail
+- kind: Pod
-  kind: Pod
+  policy: disallow-naked-pods
+  resources:
+  - blank-fail
   result: fail
+  rule: validate-naked-pods
+variables: values.yaml

test/cli/test/preconditions/kyverno-test.yaml

@@ -1,16 +1,18 @@
 name: test-preconditions
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
 results:
-  - policy: preconditions
+- kind: Pod
-    rule: any-rule
+  policy: preconditions
-    resource: test-valid
+  resources:
-    kind: Pod
+  - test-valid
-    status: pass
+  result: pass
-  - policy: preconditions
+  rule: any-rule
-    rule: any-rule
+- kind: Pod
-    resource: test-invalid
+  policy: preconditions
-    kind: Pod
+  resources:
-    status: fail
+  - test-invalid
+  result: fail
+  rule: any-rule

test/cli/test/restrict_ingress_host/kyverno-test.yaml

@@ -1,27 +1,31 @@
 name: unique-ingress-host
 policies:
-  - restrict_ingress_host.yaml
+- restrict_ingress_host.yaml
 resources:
-  - resource.yaml
+- resource.yaml
-variables: values.yaml
 results:
-  - policy: unique-ingress-host
+- kind: Ingress
-    rule: check-single-host
+  policy: unique-ingress-host
-    resource: ingress-kyverno-host
+  resources:
-    kind: Ingress
+  - ingress-kyverno-host
-    result: fail
+  result: fail
-  - policy: unique-ingress-host
+  rule: check-single-host
-    rule: check-single-host
+- kind: Ingress
-    resource: ingress-foo-host
+  policy: unique-ingress-host
-    kind: Ingress
+  resources:
-    result: skip
+  - ingress-foo-host
-  - policy: unique-ingress-host
+  result: skip
-    rule: deny-multiple-hosts
+  rule: check-single-host
-    resource: ingress-kyverno-host
+- kind: Ingress
-    kind: Ingress
+  policy: unique-ingress-host
-    result: skip
+  resources:
-  - policy: unique-ingress-host
+  - ingress-kyverno-host
-    rule: deny-multiple-hosts
+  result: skip
-    resource: ingress-foo-host
+  rule: deny-multiple-hosts
-    kind: Ingress
+- kind: Ingress
-    result: fail
+  policy: unique-ingress-host
+  resources:
+  - ingress-foo-host
+  result: fail
+  rule: deny-multiple-hosts
+variables: values.yaml

test/cli/test/scale-subresource/kyverno-test.yaml

@@ -1,13 +1,14 @@
 name: enforce-replicas-for-scale-subresource
 policies:
-  - enforce-replicas-for-scale-subresource.yml
+- enforce-replicas-for-scale-subresource.yml
 resources:
-  - resource.yaml
+- resource.yaml
-variables: values.yaml
 results:
-  - policy: enforce-replicas-for-scale-subresource
+- kind: Scale
-    rule: validate-nginx-test
+  namespace: default
-    resource: nginx-test
+  policy: enforce-replicas-for-scale-subresource
-    namespace: default
+  resources:
-    kind: Scale
+  - nginx-test
-    result: fail
+  result: fail
+  rule: validate-nginx-test
+variables: values.yaml

test/cli/test/secret/kyverno-test.yaml

@@ -1,18 +1,20 @@
 name: add-maintainer
 policies:
-  -  policy.yaml
+- policy.yaml
 resources:
-  -  resources.yaml
+- resources.yaml
 results:
-  - policy: add-maintainer
+- kind: Secret
-    rule: add-maintainer
+  patchedResource: patched-resource.yaml
-    resource: example
+  policy: add-maintainer
-    patchedResource: patched-resource.yaml
+  resources:
-    kind: Secret
+  - example
-    result: pass
+  result: pass
-  - policy: add-maintainer
+  rule: add-maintainer
-    rule: add-maintainer
+- kind: Secret
-    resource: secrete-fail-example
+  patchedResource: patched-resource1.yaml
-    patchedResource: patched-resource1.yaml
+  policy: add-maintainer
-    kind: Secret
+  resources:
-    result: fail
+  - secrete-fail-example
+  result: fail
+  rule: add-maintainer

test/cli/test/simple/kyverno-test.yaml

@@ -1,95 +1,94 @@
 name: test-simple
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resources.yaml
+- resources.yaml
-variables: values.yaml
 results:
-  - policy: disallow-latest-tag
+- kind: Pod
-    rule: require-image-tag
+  namespace: test
-    resource: test-require-image-tag-pass
+  policy: disallow-latest-tag
-    kind: Pod
+  resource: test-require-image-tag-pass
-    namespace: test
+  result: pass
-    status: pass
+  rule: require-image-tag
-  - policy: disallow-latest-tag
+- kind: Pod
-    rule: require-image-tag
+  namespace: test
-    resource: test-require-image-tag-fail
+  policy: disallow-latest-tag
-    kind: Pod
+  resource: test-require-image-tag-fail
-    namespace: test
+  result: fail
-    status: fail
+  rule: require-image-tag
-  - policy: disallow-latest-tag
+- kind: Pod
-    rule: validate-image-tag
+  policy: disallow-latest-tag
-    resource: test-validate-image-tag-ignore
+  resource: test-validate-image-tag-ignore
-    kind: Pod
+  result: skip
-    status: skip
+  rule: validate-image-tag
-  - policy: disallow-latest-tag
+- kind: Pod
-    rule: validate-image-tag
+  namespace: test
-    resource: test-validate-image-tag-fail
+  policy: disallow-latest-tag
-    namespace: test
+  resource: test-validate-image-tag-fail
-    kind: Pod
+  result: fail
-    status: fail
+  rule: validate-image-tag
-  - policy: disallow-latest-tag
+- kind: Pod
-    rule: validate-image-tag
+  namespace: test
-    resource: test-validate-image-tag-pass
+  policy: disallow-latest-tag
-    kind: Pod
+  resource: test-validate-image-tag-pass
-    namespace: test
+  result: pass
-    status: pass
+  rule: validate-image-tag
-  - policy: duration-test
+- kind: Pod
-    rule: greater-than
+  namespace: test
-    resource: test-lifetime-fail
+  policy: duration-test
-    kind: Pod
+  resource: test-lifetime-fail
-    namespace: test
+  result: fail
-    status: fail
+  rule: greater-than
-  - policy: duration-test
+- kind: Pod
-    rule: less-than
+  namespace: test
-    resource: test-lifetime-fail
+  policy: duration-test
-    kind: Pod
+  resource: test-lifetime-fail
-    namespace: test
+  result: pass
-    status: pass
+  rule: less-than
-  - policy: duration-test
+- kind: Pod
-    rule: greater-equal-than
+  namespace: test
-    resource: test-lifetime-fail
+  policy: duration-test
-    kind: Pod
+  resource: test-lifetime-fail
-    namespace: test
+  result: fail
-    status: fail
+  rule: greater-equal-than
-  - policy: duration-test
+- kind: Pod
-    rule: less-equal-than
+  namespace: test
-    resource: test-lifetime-fail
+  policy: duration-test
-    kind: Pod
+  resource: test-lifetime-fail
-    namespace: test
+  result: pass
-    status: pass
+  rule: less-equal-than
-
+- kind: Pod
-  - policy: restrict-pod-counts
+  policy: restrict-pod-counts
-    rule: restrict-pod-count
+  resource: myapp-pod
-    resource: myapp-pod
+  result: fail
-    kind: Pod
+  rule: restrict-pod-count
-    status: fail
+- kind: Pod
-  - policy: restrict-pod-counts
+  namespace: test
-    rule: restrict-pod-count
+  policy: restrict-pod-counts
-    resource: test-require-image-tag-pass
+  resource: test-require-image-tag-pass
-    kind: Pod
+  result: fail
-    namespace: test
+  rule: restrict-pod-count
-    status: fail
+- kind: Pod
-  - policy: restrict-pod-counts
+  namespace: test
-    rule: restrict-pod-count
+  policy: restrict-pod-counts
-    resource: test-require-image-tag-fail
+  resource: test-require-image-tag-fail
-    kind: Pod
+  result: fail
-    namespace: test
+  rule: restrict-pod-count
-    status: fail
+- kind: Pod
-  - policy: restrict-pod-counts
+  policy: restrict-pod-counts
-    rule: restrict-pod-count
+  resource: test-validate-image-tag-ignore
-    resource: test-validate-image-tag-ignore
+  result: fail
-    kind: Pod
+  rule: restrict-pod-count
-    status: fail
+- kind: Pod
-  - policy: restrict-pod-counts
+  namespace: test
-    rule: restrict-pod-count
+  policy: restrict-pod-counts
-    resource: test-validate-image-tag-fail
+  resource: test-validate-image-tag-fail
-    kind: Pod
+  result: fail
-    namespace: test
+  rule: restrict-pod-count
-    status: fail    
+- kind: Pod
-  - policy: restrict-pod-counts
+  namespace: test
-    rule: restrict-pod-count
+  policy: restrict-pod-counts
-    resource: test-validate-image-tag-pass
+  resource: test-validate-image-tag-pass
-    kind: Pod
+  result: fail
-    namespace: test
+  rule: restrict-pod-count
-    status: fail
+variables: values.yaml

test/cli/test/unordered-context-variables/kyverno-test.yaml

@@ -1,12 +1,13 @@
 name: chained-variables
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
-variables: variables.yaml
 results:
-- policy: deny-something
+- kind: Pod
+  policy: deny-something
+  resources:
+  - valid-pod
+  result: pass
   rule: deny-everything
-  resource: valid-pod
+variables: variables.yaml
-  kind: Pod
-  result: pass

test/cli/test/variables/kyverno-test.yaml

@@ -1,77 +1,90 @@
 name: test-variables
 policies:
-  - cm-variable-example.yaml
+- cm-variable-example.yaml
-  - cm-multiple-example.yaml
+- cm-multiple-example.yaml
-  - cm-array-example.yaml
+- cm-array-example.yaml
-  - cm-blk-scalar-example.yaml
+- cm-blk-scalar-example.yaml
-  - cm-globalval-example.yaml
+- cm-globalval-example.yaml
-  - image-example.yaml
+- image-example.yaml
 resources:
-  - resources.yaml
+- resources.yaml
-variables: variables.yaml
 results:
-  - policy: cm-multiple-example
+- kind: Pod
-    rule: example-configmap-lookup
+  policy: cm-multiple-example
-    resource: test-env-test
+  resources:
-    kind: Pod
+  - test-env-test
-    result: pass
+  result: pass
-  - policy: cm-multiple-example
+  rule: example-configmap-lookup
-    rule: example-configmap-lookup
+- kind: Pod
-    resource: test-env-dev
+  policy: cm-multiple-example
-    kind: Pod
+  resources:
-    result: fail
+  - test-env-dev
-  - policy: cm-variable-example
+  result: fail
-    rule: example-configmap-lookup
+  rule: example-configmap-lookup
-    resource: test-env-test
+- kind: Pod
-    kind: Pod
+  policy: cm-variable-example
-    result: pass
+  resources:
-  - policy: cm-variable-example
+  - test-env-test
-    rule: example-configmap-lookup
+  result: pass
-    resource: test-env-dev
+  rule: example-configmap-lookup
-    kind: Pod
+- kind: Pod
-    result: fail
+  policy: cm-variable-example
-  - policy: cm-array-example
+  resources:
-    rule: validate-role-annotation
+  - test-env-dev
-    resource: test-web
+  result: fail
-    kind: Pod
+  rule: example-configmap-lookup
-    result: fail
+- kind: Pod
-  - policy: cm-array-example
+  policy: cm-array-example
-    rule: validate-role-annotation
+  resources:
-    resource: test-app
+  - test-web
-    kind: Pod
+  result: fail
-    result: pass
+  rule: validate-role-annotation
-  - policy: cm-blk-scalar-example
+- kind: Pod
-    rule: validate-blk-role-annotation
+  policy: cm-array-example
-    resource: test-blk-web
+  resources:
-    kind: Pod
+  - test-app
-    result: fail
+  result: pass
-  - policy: cm-blk-scalar-example
+  rule: validate-role-annotation
-    rule: validate-blk-role-annotation
+- kind: Pod
-    resource: test-blk-app
+  policy: cm-blk-scalar-example
-    kind: Pod
+  resources:
-    result: pass
+  - test-blk-web
-  - policy: cm-globalval-example
+  result: fail
-    rule: validate-mode
+  rule: validate-blk-role-annotation
-    resource: test-global-dev
+- kind: Pod
-    kind: Pod
+  policy: cm-blk-scalar-example
-    result: pass
+  resources:
-  - policy: cm-globalval-example
+  - test-blk-app
-    rule: validate-mode
+  result: pass
-    resource: test-global-prod
+  rule: validate-blk-role-annotation
-    kind: Pod
+- kind: Pod
-    result: fail
+  policy: cm-globalval-example
-  - policy: images
+  resources:
-    rule: only-allow-trusted-images
+  - test-global-dev
-    resource: test-pod-with-non-root-user-image
+  result: pass
-    kind: Pod
+  rule: validate-mode
-    status: pass
+- kind: Pod
-  - policy: images
+  policy: cm-globalval-example
-    rule: only-allow-trusted-images
+  resources:
-    resource: test-pod-with-trusted-registry
+  - test-global-prod
-    kind: Pod
+  result: fail
-    status: pass
+  rule: validate-mode
-  - policy: images
+- kind: Pod
-    rule: only-allow-trusted-images
+  policy: images
-    resource: test-pod-with-non-trusted-registry
+  resources:
-    kind: Pod
+  - test-pod-with-non-root-user-image
-    status: fail
+  result: pass
+  rule: only-allow-trusted-images
+- kind: Pod
+  policy: images
+  resources:
+  - test-pod-with-trusted-registry
+  result: pass
+  rule: only-allow-trusted-images
+- kind: Pod
+  policy: images
+  resources:
+  - test-pod-with-non-trusted-registry
+  result: fail
+  rule: only-allow-trusted-images
+variables: variables.yaml

test/cli/test/wildcard_match_label_selector/kyverno-test.yaml

@@ -1,31 +1,36 @@
 name: wildcard-support-in-matchlabels
 policies:
-  -  policy.yaml
+- policy.yaml
 resources:
-  -  resources.yaml
+- resources.yaml
 results:
-  - policy: wildcard-support-in-matchlabels
+- kind: Pod
-    rule: wildcard-label
+  policy: wildcard-support-in-matchlabels
-    resource: my-service-1
+  resources:
-    kind: Pod
+  - my-service-1
-    result: pass
+  result: pass
-  - policy: wildcard-support-in-matchlabels
+  rule: wildcard-label
-    rule: label-end-with-test
+- kind: Pod
-    resource: my-service-2
+  policy: wildcard-support-in-matchlabels
-    kind: Pod
+  resources:
-    result: pass
+  - my-service-2
-  - policy: wildcard-support-in-matchlabels
+  result: pass
-    rule: label-end-with-test
+  rule: label-end-with-test
-    resource: my-service-3
+- kind: Pod
-    kind: Pod
+  policy: wildcard-support-in-matchlabels
-    result: skip
+  resources:
-  - policy: wildcard-support-in-matchlabels
+  - my-service-3
-    rule: label-start-with-test
+  result: skip
-    resource: my-service-4
+  rule: label-end-with-test
-    kind: Pod
+- kind: Pod
-    result: pass
+  policy: wildcard-support-in-matchlabels
-  - policy: wildcard-support-in-matchlabels
+  resources:
-    rule: label-start-with-test
+  - my-service-4
-    resource: my-service-5
+  result: pass
-    kind: Pod
+  rule: label-start-with-test
-    result: skip
+- kind: Pod
+  policy: wildcard-support-in-matchlabels
+  resources:
+  - my-service-5
+  result: skip
+  rule: label-start-with-test

test/cli/test/wildcard_mutate/kyverno-test.yaml

@@ -1,18 +1,20 @@
 name: wildcard-support-in-matchlabels
 policies:
-  -  policy.yaml
+- policy.yaml
 resources:
-  -  resources.yaml
+- resources.yaml
 results:
-  - policy: mutate-wildcard
+- kind: Pod
-    rule: mutate-wildcard
+  patchedResource: patchedResource.yaml
-    resource: wildcard-mutate
+  policy: mutate-wildcard
-    patchedResource: patchedResource.yaml
+  resources:
-    kind: Pod
+  - wildcard-mutate
-    result: pass
+  result: pass
-  - policy: mutate-wildcard
+  rule: mutate-wildcard
-    rule: mutate-wildcard
+- kind: Pod
-    resource: wildcard-mutate-fail
+  patchedResource: patchedResource1.yaml
-    patchedResource: patchedResource1.yaml
+  policy: mutate-wildcard
-    kind: Pod
+  resources:
-    result: fail
+  - wildcard-mutate-fail
+  result: fail
+  rule: mutate-wildcard