1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 20:20:22 +00:00

feat: add fix test cli command (#8213)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-01 17:50:11 +02:00 committed by GitHub
parent deb200dfd6
commit 9f108b11cd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
71 changed files with 1644 additions and 1217 deletions

View file

@ -0,0 +1,21 @@
package fix
import (
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix/test"
"github.com/spf13/cobra"
)
func Command() *cobra.Command {
cmd := &cobra.Command{
Use: "fix",
Short: "Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.",
Example: "",
RunE: func(cmd *cobra.Command, args []string) error {
return cmd.Help()
},
}
cmd.AddCommand(
test.Command(),
)
return cmd
}

View file

@ -0,0 +1,95 @@
package test
import (
"fmt"
"os"
"path/filepath"
"github.com/spf13/cobra"
"sigs.k8s.io/yaml"
)
func Command() *cobra.Command {
var fileName string
var save bool
cmd := &cobra.Command{
Use: "test",
Short: "Fix inconsistencies and deprecated usage in Kyverno test files.",
Example: "",
RunE: func(cmd *cobra.Command, args []string) error {
var testCases []testCase
for _, arg := range args {
tests, err := loadTests(arg, fileName)
if err != nil {
return err
}
testCases = append(testCases, tests...)
}
for _, testCase := range testCases {
fmt.Printf("Processing test file (%s)...", testCase.path)
fmt.Println()
if testCase.err != nil {
fmt.Printf(" ERROR: loading test file (%s): %s", testCase.path, testCase.err)
fmt.Println()
continue
}
test := testCase.test
needsSave := false
if test.Name == "" {
fmt.Println(" WARNING: name is not set")
test.Name = filepath.Base(testCase.path)
needsSave = true
}
if len(test.Policies) == 0 {
fmt.Println(" WARNING: test has no policies")
}
if len(test.Resources) == 0 {
fmt.Println(" WARNING: test has no policies")
}
for i := range test.Results {
result := &test.Results[i]
if result.Resource != "" && len(result.Resources) != 0 {
fmt.Println(" WARNING: test result should not use both `resource` and `resources` fields")
}
if result.Resource != "" {
fmt.Println(" WARNING: test result uses deprecated `resource` field, moving it into the `resources` field")
result.Resources = append(result.Resources, result.Resource)
result.Resource = ""
needsSave = true
}
if result.Status != "" && result.Result != "" {
fmt.Println(" ERROR: test result should not use both `status` and `result` fields")
}
if result.Status != "" && result.Result == "" {
fmt.Println(" WARNING: test result uses deprecated `status` field, moving it into the `result` field")
result.Result = result.Status
result.Status = ""
needsSave = true
}
}
if save && needsSave {
fmt.Printf(" Saving test file (%s)...", testCase.path)
fmt.Println()
yamlBytes, err := yaml.Marshal(test)
if err != nil {
fmt.Printf(" ERROR: converting test to yaml: %s", err)
fmt.Println()
continue
}
if err := os.WriteFile(testCase.path, yamlBytes, os.ModePerm); err != nil {
fmt.Printf(" ERROR: saving test file (%s): %s", testCase.path, err)
fmt.Println()
continue
}
fmt.Println(" OK")
}
fmt.Println()
}
fmt.Println("Done.")
return nil
},
}
cmd.Flags().StringVarP(&fileName, "file-name", "f", "kyverno-test.yaml", "Test filename")
cmd.Flags().BoolVar(&save, "save", false, "Save fixed file")
return cmd
}

View file

@ -0,0 +1,61 @@
package test
import (
"os"
"path/filepath"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
"k8s.io/apimachinery/pkg/util/yaml"
)
type testCase struct {
path string
test *api.Test
err error
}
func loadTests(dirPath string, fileName string) ([]testCase, error) {
return loadLocalTest(filepath.Clean(dirPath), fileName)
}
func loadLocalTest(path string, fileName string) ([]testCase, error) {
var tests []testCase
files, err := os.ReadDir(path)
if err != nil {
return nil, err
}
for _, file := range files {
if file.IsDir() {
ps, err := loadLocalTest(filepath.Join(path, file.Name()), fileName)
if err != nil {
return nil, err
}
tests = append(tests, ps...)
} else if file.Name() == fileName {
tests = append(tests, loadTest(path, file.Name()))
}
}
return tests, nil
}
func loadTest(dirPath string, fileName string) testCase {
path := filepath.Join(dirPath, fileName)
yamlBytes, err := os.ReadFile(path) // #nosec G304
if err != nil {
return testCase{
path: path,
err: err,
}
}
var test api.Test
if err := yaml.UnmarshalStrict(yamlBytes, &test); err != nil {
return testCase{
path: path,
err: err,
}
}
return testCase{
path: path,
test: &test,
}
}

View file

@ -9,6 +9,7 @@ import (
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apply" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apply"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/create" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/create"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/docs" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/docs"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/jp" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/jp"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/oci" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/oci"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test"
@ -58,6 +59,9 @@ func registerCommands(cli *cobra.Command) {
version.Command(), version.Command(),
) )
if enableExperimental() { if enableExperimental() {
cli.AddCommand(oci.Command()) cli.AddCommand(
fix.Command(),
oci.Command(),
)
} }
} }

View file

@ -10,10 +10,10 @@ type Test struct {
Name string `json:"name"` Name string `json:"name"`
Policies []string `json:"policies"` Policies []string `json:"policies"`
Resources []string `json:"resources"` Resources []string `json:"resources"`
Variables string `json:"variables"` Variables string `json:"variables,omitempty"`
UserInfo string `json:"userinfo"` UserInfo string `json:"userinfo,omitempty"`
Results []TestResults `json:"results"` Results []TestResults `json:"results"`
Values *Values `json:"values"` Values *Values `json:"values,omitempty"`
} }
type TestResults struct { type TestResults struct {
@ -26,33 +26,33 @@ type TestResults struct {
// IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy. // IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
// It's required in case policy is a validating admission policy. // It's required in case policy is a validating admission policy.
// +optional // +optional
IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy"` IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy,omitempty"`
// Result mentions the result that the user is expecting. // Result mentions the result that the user is expecting.
// Possible values are pass, fail and skip. // Possible values are pass, fail and skip.
Result policyreportv1alpha2.PolicyResult `json:"result"` Result policyreportv1alpha2.PolicyResult `json:"result"`
// Status mentions the status that the user is expecting. // Status mentions the status that the user is expecting.
// Possible values are pass, fail and skip. // Possible values are pass, fail and skip.
Status policyreportv1alpha2.PolicyResult `json:"status"` Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"`
// Resource mentions the name of the resource on which the policy is to be applied. // Resource mentions the name of the resource on which the policy is to be applied.
Resource string `json:"resource"` Resource string `json:"resource,omitempty"`
// Resources gives us the list of resources on which the policy is going to be applied. // Resources gives us the list of resources on which the policy is going to be applied.
Resources []string `json:"resources"` Resources []string `json:"resources"`
// Kind mentions the kind of the resource on which the policy is to be applied. // Kind mentions the kind of the resource on which the policy is to be applied.
Kind string `json:"kind"` Kind string `json:"kind"`
// Namespace mentions the namespace of the policy which has namespace scope. // Namespace mentions the namespace of the policy which has namespace scope.
Namespace string `json:"namespace"` Namespace string `json:"namespace,omitempty"`
// PatchedResource takes a resource configuration file in yaml format from // PatchedResource takes a resource configuration file in yaml format from
// the user to compare it against the Kyverno mutated resource configuration. // the user to compare it against the Kyverno mutated resource configuration.
PatchedResource string `json:"patchedResource"` PatchedResource string `json:"patchedResource,omitempty"`
// AutoGeneratedRule is internally set by the CLI command. It takes values either
// autogen or autogen-cronjob.
AutoGeneratedRule string `json:"auto_generated_rule"`
// GeneratedResource takes a resource configuration file in yaml format from // GeneratedResource takes a resource configuration file in yaml format from
// the user to compare it against the Kyverno generated resource configuration. // the user to compare it against the Kyverno generated resource configuration.
GeneratedResource string `json:"generatedResource"` GeneratedResource string `json:"generatedResource,omitempty"`
// CloneSourceResource takes the resource configuration file in yaml format // CloneSourceResource takes the resource configuration file in yaml format
// from the user which is meant to be cloned by the generate rule. // from the user which is meant to be cloned by the generate rule.
CloneSourceResource string `json:"cloneSourceResource"` CloneSourceResource string `json:"cloneSourceResource,omitempty"`
// AutoGeneratedRule is internally set by the CLI command. It takes values either
// autogen or autogen-cronjob.
AutoGeneratedRule string `json:"auto_generated_rule,omitempty"`
} }
type ReportResult struct { type ReportResult struct {

View file

@ -31,6 +31,7 @@ To enable experimental commands, KYVERNO_EXPERIMENTAL should be configured with
* [kyverno completion](kyverno_completion.md) - Generate the autocompletion script for the specified shell * [kyverno completion](kyverno_completion.md) - Generate the autocompletion script for the specified shell
* [kyverno create](kyverno_create.md) - Provides a command-line interface to help with the creation of various Kyverno resources. * [kyverno create](kyverno_create.md) - Provides a command-line interface to help with the creation of various Kyverno resources.
* [kyverno docs](kyverno_docs.md) - Generates documentation. * [kyverno docs](kyverno_docs.md) - Generates documentation.
* [kyverno fix](kyverno_fix.md) - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
* [kyverno jp](kyverno_jp.md) - Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions. * [kyverno jp](kyverno_jp.md) - Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
* [kyverno oci](kyverno_oci.md) - Pulls/pushes images that include policie(s) from/to OCI registries. * [kyverno oci](kyverno_oci.md) - Pulls/pushes images that include policie(s) from/to OCI registries.
* [kyverno test](kyverno_test.md) - Run tests from directory. * [kyverno test](kyverno_test.md) - Run tests from directory.

View file

@ -0,0 +1,37 @@
## kyverno fix
Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
```
kyverno fix [flags]
```
### Options
```
-h, --help help for fix
```
### Options inherited from parent commands
```
--add_dir_header If true, adds the file directory to the header of the log messages
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true)
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true)
--log_file string If non-empty, use this log file (no effect when -logtostderr=true)
--log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
--one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
--skip_headers If true, avoid header prefixes in the log messages
--skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
-v, --v Level number for the log level verbosity
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
```
### SEE ALSO
* [kyverno](kyverno.md) - Kubernetes Native Policy Management
* [kyverno fix test](kyverno_fix_test.md) - Fix inconsistencies and deprecated usage in Kyverno test files.

View file

@ -0,0 +1,38 @@
## kyverno fix test
Fix inconsistencies and deprecated usage in Kyverno test files.
```
kyverno fix test [flags]
```
### Options
```
-f, --file-name string Test filename (default "kyverno-test.yaml")
-h, --help help for test
--save Save fixed file
```
### Options inherited from parent commands
```
--add_dir_header If true, adds the file directory to the header of the log messages
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true)
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true)
--log_file string If non-empty, use this log file (no effect when -logtostderr=true)
--log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
--one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
--skip_headers If true, avoid header prefixes in the log messages
--skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
-v, --v Level number for the log level verbosity
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
```
### SEE ALSO
* [kyverno fix](kyverno_fix.md) - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.

View file

@ -1,21 +1,24 @@
name: test-registry name: test-registry
policies: policies:
- image-example.yaml - image-example.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: images - kind: Pod
rule: only-allow-trusted-images policy: images
resource: test-pod-with-non-root-user-image resources:
kind: Pod - test-pod-with-non-root-user-image
status: pass result: pass
- policy: images rule: only-allow-trusted-images
rule: only-allow-trusted-images - kind: Pod
resource: test-pod-with-trusted-registry policy: images
kind: Pod resources:
status: pass - test-pod-with-trusted-registry
- policy: check-image-base result: pass
rule: check-image-base-rule rule: only-allow-trusted-images
resource: test-pod-with-trusted-registry - kind: Pod
kind: Pod policy: check-image-base
status: pass resources:
- test-pod-with-trusted-registry
result: pass
rule: check-image-base-rule

View file

@ -1,12 +1,13 @@
name: policy-endpoints name: policy-endpoints
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: policy-endpoints - kind: Endpoints
rule: pEP patchedResource: patchedresource.yaml
resource: test-endpoint policy: policy-endpoints
patchedresource: patchedresource.yaml resources:
kind: Endpoints - test-endpoint
result: pass result: pass
rule: pEP

View file

@ -1,12 +1,13 @@
name: mutate-pods-spec name: mutate-pods-spec
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: mutate-pods-spec - kind: Deployment
rule: disable-servicelink-and-token patchedResource: patchedresource.yaml
resource: nginx-deployment policy: mutate-pods-spec
patchedresource: patchedresource.yaml resources:
kind: Deployment - nginx-deployment
result: pass result: pass
rule: disable-servicelink-and-token

View file

@ -1,11 +1,12 @@
name: validate-default-proc-mount name: validate-default-proc-mount
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: validate-default-proc-mount - kind: Pod
rule: validate-default-proc-mount policy: validate-default-proc-mount
resource: nginx-proc-mount resources:
kind: Pod - nginx-proc-mount
result: pass result: pass
rule: validate-default-proc-mount

View file

@ -1,11 +1,12 @@
name: validate-disallow-default-serviceaccount name: validate-disallow-default-serviceaccount
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: validate-disallow-default-serviceaccount - kind: Pod
rule: prevent-mounting-default-serviceaccount policy: validate-disallow-default-serviceaccount
resource: pod-with-default-sa resources:
kind: Pod - pod-with-default-sa
result: fail result: fail
rule: prevent-mounting-default-serviceaccount

View file

@ -1,16 +1,18 @@
name: check-probe-exists name: check-probe-exists
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: check-probe-exists - kind: Pod
rule: check-readinessProbe-exists policy: check-probe-exists
resource: probe resources:
kind: Pod - probe
result: pass result: pass
- policy: check-probe-exists rule: check-readinessProbe-exists
rule: check-livenessProbe-exists - kind: Pod
resource: probe policy: check-probe-exists
kind: Pod resources:
result: pass - probe
result: pass
rule: check-livenessProbe-exists

View file

@ -1,11 +1,12 @@
name: validate-selinux-options name: validate-selinux-options
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: validate-selinux-options - kind: Pod
rule: validate-selinux-options policy: validate-selinux-options
resource: busybox-selinux resources:
kind: Pod - busybox-selinux
result: fail result: fail
rule: validate-selinux-options

View file

@ -1,11 +1,12 @@
name: validate-volumes-whitelist name: validate-volumes-whitelist
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: validate-volumes-whitelist - kind: Pod
rule: validate-volumes-whitelist policy: validate-volumes-whitelist
resource: test-volumes resources:
kind: Pod - test-volumes
result: pass result: pass
rule: validate-volumes-whitelist

View file

@ -1,11 +1,12 @@
name: restrict-ingress-classes name: restrict-ingress-classes
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: restrict-ingress-classes - kind: Ingress
rule: validate-ingress policy: restrict-ingress-classes
resource: test-ingress resources:
kind: Ingress - test-ingress
result: pass result: pass
rule: validate-ingress

View file

@ -1,11 +1,12 @@
name: test-exclude name: test-exclude
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: restrict-labels - kind: Namespace
rule: restrict-labels policy: restrict-labels
resource: kyverno-system-tst resources:
kind: Namespace - kyverno-system-tst
result: fail result: fail
rule: restrict-labels

View file

@ -1,11 +1,12 @@
name: test-simple name: test-simple
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: missing - kind: Pod
rule: validate-image-tag policy: missing
resource: test resources:
kind: Pod - test
result: pass result: pass
rule: validate-image-tag

View file

@ -1,11 +1,12 @@
name: test-simple name: test-simple
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: disallow-latest-tag - kind: Pod
rule: validate-image-tag policy: disallow-latest-tag
resource: missing resources:
kind: Pod - missing
result: pass result: pass
rule: validate-image-tag

View file

@ -1,11 +1,12 @@
name: test-simple name: test-simple
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: disallow-latest-tag - kind: Pod
rule: missing policy: disallow-latest-tag
resource: test resources:
kind: Pod - test
status: pass result: pass
rule: missing

View file

@ -1,12 +1,13 @@
name: deny-all-traffic name: deny-all-traffic
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: add-networkpolicy - generatedResource: generatedResource.yaml
rule: default-deny kind: Namespace
resource: hello-world-namespace policy: add-networkpolicy
generatedResource: generatedResource.yaml resources:
kind: Namespace - hello-world-namespace
result: pass result: pass
rule: default-deny

View file

@ -1,18 +1,20 @@
name: add-quota name: add-quota
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: add-ns-quota - generatedResource: generatedResourceQuota.yaml
rule: generate-resourcequota kind: Namespace
resource: hello-world-namespace policy: add-ns-quota
generatedResource: generatedResourceQuota.yaml resources:
kind: Namespace - hello-world-namespace
result: pass result: pass
- policy: add-ns-quota rule: generate-resourcequota
rule: generate-limitrange - generatedResource: generatedLimitRange.yaml
resource: hello-world-namespace kind: Namespace
generatedResource: generatedLimitRange.yaml policy: add-ns-quota
kind: Namespace resources:
result: pass - hello-world-namespace
result: pass
rule: generate-limitrange

View file

@ -1,13 +1,14 @@
name: pdb-test name: pdb-test
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: create-default-pdb - generatedResource: generatedResource.yaml
rule: create-default-pdb kind: Deployment
resource: nginx-deployment namespace: hello-world
generatedResource: generatedResource.yaml policy: create-default-pdb
kind: Deployment resources:
result: pass - nginx-deployment
namespace: hello-world result: pass
rule: create-default-pdb

View file

@ -1,18 +1,20 @@
name: multiple-resources name: multiple-resources
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: test-policy - generatedResource: generated-resource-1.yaml
rule: rule kind: Deployment
resource: resource-a policy: test-policy
generatedResource: generated-resource-1.yaml resources:
kind: Deployment - resource-a
result: pass result: pass
- policy: test-policy rule: rule
rule: rule - generatedResource: generated-resource-2.yaml
resource: resource-b kind: Deployment
generatedResource: generated-resource-2.yaml policy: test-policy
kind: Deployment resources:
result: pass - resource-b
result: pass
rule: rule

View file

@ -1,13 +1,14 @@
name: sync-secrets name: sync-secrets
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: sync-secrets - cloneSourceResource: cloneSourceResource.yaml
rule: sync-image-pull-secret generatedResource: generatedResource.yaml
resource: hello-world-namespace kind: Namespace
generatedResource: generatedResource.yaml policy: sync-secrets
cloneSourceResource: cloneSourceResource.yaml resources:
kind: Namespace - hello-world-namespace
result: pass result: pass
rule: sync-image-pull-secret

View file

@ -1,12 +1,13 @@
name: foreach-mutate name: foreach-mutate
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: mutate-emptydir - kind: Deployment
rule: setDefault patchedResource: deploy-patched.yaml
resource: svc-sizelimit-test policy: mutate-emptydir
patchedResource: deploy-patched.yaml resources:
kind: Deployment - svc-sizelimit-test
result: pass result: pass
rule: setDefault

View file

@ -1,12 +1,13 @@
name: foreach-mutate name: foreach-mutate
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: add-default-resources - kind: Pod
rule: add-default-requests patchedResource: patched.yaml
resource: badpod policy: add-default-resources
patchedResource: patched.yaml resources:
kind: Pod - badpod
result: pass result: pass
rule: add-default-requests

View file

@ -1,19 +1,21 @@
name: foreach-mutate name: foreach-mutate
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
variables: values.yaml
results: results:
- policy: foreach-json-patch - kind: Pod
rule: add-security-context patchedResource: patched-resource.yaml
resource: nginx policy: foreach-json-patch
patchedResource: patched-resource.yaml resources:
kind: Pod - nginx
result: pass result: pass
- policy: mutate-images rule: add-security-context
rule: test - kind: Pod
resource: mypod patchedResource: pod-updated-image.yaml
patchedResource: pod-updated-image.yaml policy: mutate-images
kind: Pod resources:
result: pass - mypod
result: pass
rule: test
variables: values.yaml

View file

@ -1,12 +1,13 @@
name: foreach-mutate name: foreach-mutate
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: replace-image-registry-containers - kind: Pod
rule: set-default patchedResource: pod-patched.yaml
resource: test-patched-image policy: replace-image-registry-containers
patchedResource: pod-patched.yaml resources:
kind: Pod - test-patched-image
result: pass result: pass
rule: set-default

View file

@ -1,28 +1,32 @@
name: validate-service-loadbalancer name: validate-service-loadbalancer
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: add-safe-to-evict - kind: Pod
rule: annotate-empty-dir policy: add-safe-to-evict
resource: pod-without-emptydir-hostpath resources:
kind: Pod - pod-without-emptydir-hostpath
result: skip result: skip
- policy: add-safe-to-evict rule: annotate-empty-dir
rule: annotate-empty-dir - kind: Pod
resource: pod-with-emptydir-hostpath patchedResource: patchedResource.yaml
patchedResource: patchedResource.yaml policy: add-safe-to-evict
kind: Pod resources:
result: pass - pod-with-emptydir-hostpath
- policy: add-safe-to-evict result: pass
rule: annotate-empty-dir rule: annotate-empty-dir
resource: pod-with-emptydir-hostpath-1 - kind: Pod
patchedResource: patchedResourceWithVolume.yaml patchedResource: patchedResourceWithVolume.yaml
kind: Pod policy: add-safe-to-evict
result: pass resources:
- policy: add-safe-to-evict - pod-with-emptydir-hostpath-1
rule: annotate-empty-dir result: pass
resource: pod-without-emptydir-hostpath-1 rule: annotate-empty-dir
kind: Pod - kind: Pod
result: skip policy: add-safe-to-evict
resources:
- pod-without-emptydir-hostpath-1
result: skip
rule: annotate-empty-dir

View file

@ -1,90 +1,103 @@
name: add-nodeselector name: add-nodeselector
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: add-label - kind: Pod
rule: add-label namespace: practice
resource: resource-equal-to-patch-res-for-cp patchedResource: patchedResource1.yaml
patchedResource: patchedResource1.yaml policy: add-label
kind: Pod resources:
namespace: practice - resource-equal-to-patch-res-for-cp
result: skip result: skip
- policy: add-label rule: add-label
rule: add-label - kind: Pod
resource: same-name-but-diff-namespace namespace: testing
patchedResource: patchedResource2.yaml patchedResource: patchedResource2.yaml
kind: Pod policy: add-label
namespace: testing resources:
result: pass - same-name-but-diff-namespace
- policy: add-label result: pass
rule: add-label rule: add-label
resource: same-name-but-diff-namespace - kind: Pod
patchedResource: patchedResource3.yaml namespace: production
kind: Pod patchedResource: patchedResource3.yaml
namespace: production policy: add-label
result: pass resources:
- policy: add-label - same-name-but-diff-namespace
rule: add-label result: pass
resource: mydeploy rule: add-label
patchedResource: patchedResource4.yaml - kind: Deployment
kind: Deployment patchedResource: patchedResource4.yaml
result: pass policy: add-label
- policy: add-label resources:
rule: add-label - mydeploy
resource: same-name-but-diff-kind result: pass
patchedResource: patchedResource5.yaml rule: add-label
kind: Service - kind: Service
result: skip patchedResource: patchedResource5.yaml
- policy: add-label policy: add-label
rule: add-label resources:
resource: same-name-but-diff-kind - same-name-but-diff-kind
patchedResource: patchedResource6.yaml result: skip
kind: Pod rule: add-label
result: pass - kind: Pod
- policy: add-ndots patchedResource: patchedResource6.yaml
rule: add-ndots policy: add-label
resource: resource-equal-to-patch-res-for-cp resources:
namespace: practice - same-name-but-diff-kind
patchedResource: patchedResource7.yaml result: pass
kind: Pod rule: add-label
result: skip - kind: Pod
- policy: add-ndots namespace: practice
rule: add-ndots patchedResource: patchedResource7.yaml
resource: same-name-but-diff-namespace policy: add-ndots
patchedResource: patchedResource8.yaml resources:
namespace: testing - resource-equal-to-patch-res-for-cp
kind: Pod result: skip
result: pass rule: add-ndots
- policy: add-ndots - kind: Pod
rule: add-ndots namespace: testing
resource: same-name-but-diff-namespace patchedResource: patchedResource8.yaml
patchedResource: patchedResource9.yaml policy: add-ndots
kind: Pod resources:
namespace: production - same-name-but-diff-namespace
result: skip result: pass
- policy: add-ndots rule: add-ndots
rule: add-ndots - kind: Pod
resource: mydeploy namespace: production
patchedResource: patchedResource10.yaml patchedResource: patchedResource9.yaml
kind: Deployment policy: add-ndots
result: skip resources:
- policy: add-ndots - same-name-but-diff-namespace
rule: add-ndots result: skip
resource: same-name-but-diff-kind rule: add-ndots
patchedResource: patchedResource5.yaml - kind: Deployment
kind: Service patchedResource: patchedResource10.yaml
result: skip policy: add-ndots
- policy: add-ndots resources:
rule: add-ndots - mydeploy
resource: same-name-but-diff-kind result: skip
patchedResource: patchedResource11.yaml rule: add-ndots
kind: Pod - kind: Service
result: skip patchedResource: patchedResource5.yaml
- policy: example policy: add-ndots
rule: object_from_lists resources:
resource: example - same-name-but-diff-kind
patchedResource: patched-resource.yaml result: skip
kind: Pod rule: add-ndots
result: pass - kind: Pod
patchedResource: patchedResource11.yaml
policy: add-ndots
resources:
- same-name-but-diff-kind
result: skip
rule: add-ndots
- kind: Pod
patchedResource: patched-resource.yaml
policy: example
resources:
- example
result: pass
rule: object_from_lists

View file

@ -1,20 +1,25 @@
name: add-default-resources-test name: add-default-resources-test
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
variables: variables.yaml
results: results:
- policy: add-default-resources - kind: Pod
rule: add-default-requests patchedResource: patched-resource.yaml
resource: nginx-demo policy: add-default-resources
patchedResource: patched-resource.yaml resources:
kind: Pod - nginx-demo
result: pass result: pass
rule: add-default-requests
values: values:
globalValues: null
namespaceSelector: null
policies: policies:
- name: add-default-resources - name: add-default-resources
resources: resources:
- name: nginx-demo - name: nginx-demo
values: values:
request.operation: CREATE request.operation: CREATE
rules: null
subresources: null
variables: variables.yaml

View file

@ -1,38 +1,43 @@
name: admission-user-info name: admission-user-info
policies: policies:
- disallow_latest_tag.yaml - disallow_latest_tag.yaml
resources: resources:
- resource.yaml - resource.yaml
userinfo: user_info.yaml
results: results:
- policy: disallow-latest-tag - kind: Pod
rule: require-image-tag policy: disallow-latest-tag
resource: myapp-pod1 resources:
kind: Pod - myapp-pod1
result: pass result: pass
- policy: disallow-latest-tag rule: require-image-tag
rule: require-image-tag - kind: Pod
resource: myapp-pod2 policy: disallow-latest-tag
kind: Pod resources:
result: pass - myapp-pod2
- policy: disallow-latest-tag result: pass
rule: require-image-tag rule: require-image-tag
resource: myapp-pod3 - kind: Pod
kind: Pod policy: disallow-latest-tag
result: pass resources:
- policy: disallow-latest-tag - myapp-pod3
rule: validate-image-tag result: pass
resource: myapp-pod1 rule: require-image-tag
kind: Pod - kind: Pod
result: pass policy: disallow-latest-tag
- policy: disallow-latest-tag resources:
rule: validate-image-tag - myapp-pod1
resource: myapp-pod2 result: pass
kind: Pod rule: validate-image-tag
result: pass - kind: Pod
- policy: disallow-latest-tag policy: disallow-latest-tag
rule: validate-image-tag resources:
resource: myapp-pod3 - myapp-pod2
kind: Pod result: pass
result: pass rule: validate-image-tag
- kind: Pod
policy: disallow-latest-tag
resources:
- myapp-pod3
result: pass
rule: validate-image-tag
userinfo: user_info.yaml

View file

@ -1,24 +1,27 @@
name: disallow-protected-namespaces name: disallow-protected-namespaces
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: disallow-protected-namespaces - kind: Pod
rule: disallow namespace: namespace1
resource: test1 policy: disallow-protected-namespaces
kind: Pod resources:
namespace: namespace1 - test1
result: fail result: fail
- policy: disallow-protected-namespaces rule: disallow
rule: disallow - kind: Pod
resource: test2 namespace: namespace2
kind: Pod policy: disallow-protected-namespaces
namespace: namespace2 resources:
result: fail - test2
- policy: disallow-protected-namespaces result: fail
rule: disallow rule: disallow
resource: test3 - kind: Pod
kind: Pod namespace: namespace3
namespace: namespace3 policy: disallow-protected-namespaces
result: skip resources:
- test3
result: skip
rule: disallow

View file

@ -1,14 +1,14 @@
---
name: enforce-pod-name name: enforce-pod-name
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
variables: value.yaml
results: results:
- policy: enforce-pod-name - kind: Pod
rule: validate-name namespace: test1
resource: test-nginx policy: enforce-pod-name
kind: Pod resources:
namespace: test1 - test-nginx
result: pass result: pass
rule: validate-name
variables: value.yaml

View file

@ -1,26 +1,30 @@
name: validate-service-loadbalancer name: validate-service-loadbalancer
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: validate-service-loadbalancer - kind: Service
rule: check-loadbalancer-public policy: validate-service-loadbalancer
resource: service-public-pass resources:
kind: Service - service-public-pass
result: pass result: pass
- policy: validate-service-loadbalancer rule: check-loadbalancer-public
rule: check-loadbalancer-public - kind: Service
resource: service-public-2-pass policy: validate-service-loadbalancer
kind: Service resources:
result: pass - service-public-2-pass
- policy: validate-service-loadbalancer result: pass
rule: check-loadbalancer-public rule: check-loadbalancer-public
resource: service-public-fail - kind: Service
kind: Service policy: validate-service-loadbalancer
result: fail resources:
- policy: validate-service-loadbalancer - service-public-fail
rule: check-loadbalancer-public result: fail
resource: service-clusterip-skip rule: check-loadbalancer-public
kind: Service - kind: Service
result: skip policy: validate-service-loadbalancer
resources:
- service-clusterip-skip
result: skip
rule: check-loadbalancer-public

View file

@ -1,60 +1,54 @@
name: kyverno-test.yaml
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
# TEST: Pod with Labels Should Pass - kind: Pod
- policy: require-common-labels policy: require-common-labels
rule: check-for-labels resources:
- pod-with-labels
result: pass result: pass
kind: Pod
resource: pod-with-labels
# TEST: Pod Missing Labels Should Fail
- policy: require-common-labels
rule: check-for-labels rule: check-for-labels
- kind: Pod
policy: require-common-labels
resources:
- pod-missing-labels
result: fail result: fail
kind: Pod
resource: pod-missing-labels
# TEST: Deployment with Labels Should Pass
- policy: require-common-labels
rule: check-for-labels rule: check-for-labels
- kind: Deployment
policy: require-common-labels
resources:
- deployment-with-labels
result: pass result: pass
kind: Deployment
resource: deployment-with-labels
# TEST: Deployment with Labels Should Fail
- policy: require-common-labels
rule: check-for-labels rule: check-for-labels
- kind: Deployment
policy: require-common-labels
resources:
- deployment-missing-labels
result: fail result: fail
kind: Deployment
resource: deployment-missing-labels
# TEST: StatefulSet with Labels Should Pass
- policy: require-common-labels
rule: check-for-labels rule: check-for-labels
- kind: StatefulSet
policy: require-common-labels
resources:
- StatefulSet-with-labels
result: pass result: pass
kind: StatefulSet
resource: StatefulSet-with-labels
# TEST: StatefulSet with Labels Should fail
- policy: require-common-labels
rule: check-for-labels rule: check-for-labels
- kind: StatefulSet
policy: require-common-labels
resources:
- StatefulSet-without-labels
result: fail result: fail
kind: StatefulSet
resource: StatefulSet-without-labels
# TEST: Cronjob with Labels Should pass
- policy: require-common-labels
rule: check-for-labels rule: check-for-labels
- kind: CronJob
policy: require-common-labels
resources:
- cronjob-with-labels
result: pass result: pass
kind: CronJob
resource: cronjob-with-labels
# TEST: Cronjob without Labels Should fail
- policy: require-common-labels
rule: check-for-labels rule: check-for-labels
- kind: CronJob
policy: require-common-labels
resources:
- cronjob-without-labels
result: fail result: fail
kind: CronJob rule: check-for-labels
resource: cronjob-without-labels

View file

@ -1,16 +1,18 @@
name: test-image-verify-signature name: test-image-verify-signature
policies: policies:
- policy.yml - policy.yml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: check-image - kind: Pod
rule: verify-signature policy: check-image
resource: signed-first resources:
kind: Pod - signed-first
status: fail result: fail
- policy: check-image rule: verify-signature
rule: verify-signature - kind: Pod
resource: unsigned-first policy: check-image
kind: Pod resources:
status: fail - unsigned-first
result: fail
rule: verify-signature

View file

@ -1,61 +1,72 @@
name: test-context-entries name: test-context-entries
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: example - kind: Pod
rule: defined-value policy: example
resource: example resources:
kind: Pod - example
result: pass result: pass
- policy: example rule: defined-value
rule: defined-jmespath - kind: Pod
resource: example policy: example
kind: Pod resources:
result: pass - example
- policy: example result: pass
rule: defined-jmespath-with-default rule: defined-jmespath
resource: example - kind: Pod
kind: Pod policy: example
result: pass resources:
- policy: example - example
rule: defined-value-with-variable result: pass
resource: example rule: defined-jmespath-with-default
kind: Pod - kind: Pod
result: pass policy: example
- policy: example resources:
rule: defined-jmespath-with-default-variable - example
resource: example result: pass
kind: Pod rule: defined-value-with-variable
result: pass - kind: Pod
- policy: example policy: example
rule: defined-value-jmespath resources:
resource: example - example
kind: Pod result: pass
result: pass rule: defined-jmespath-with-default-variable
- policy: example - kind: Pod
rule: defined-value-jmespath-variable policy: example
resource: example resources:
kind: Pod - example
result: pass result: pass
- policy: example rule: defined-value-jmespath
rule: value-override - kind: Pod
resource: example policy: example
kind: Pod resources:
result: pass - example
- policy: example result: pass
rule: wildcard-match rule: defined-value-jmespath-variable
resource: example - kind: Pod
kind: Pod policy: example
result: pass resources:
- policy: example - example
rule: items result: pass
resource: example rule: value-override
kind: Pod - kind: Pod
result: pass policy: example
- policy: example resources:
rule: unused-var - example
resource: example result: pass
kind: Pod rule: wildcard-match
result: pass - kind: Pod
policy: example
resources:
- example
result: pass
rule: items
- kind: Pod
policy: example
resources:
- example
result: pass
rule: unused-var

View file

@ -1,17 +1,19 @@
name: block-images name: block-images
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
variables: values.yaml
results: results:
- policy: block-images - kind: Pod
rule: block-images policy: block-images
resource: good-pod resources:
kind: Pod - good-pod
result: pass result: pass
- policy: block-images
rule: block-images rule: block-images
resource: bad-pod - kind: Pod
kind: Pod policy: block-images
resources:
- bad-pod
result: fail result: fail
rule: block-images
variables: values.yaml

View file

@ -1,67 +1,78 @@
name: test-custom-funcs name: test-custom-funcs
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: base64 - kind: Secret
rule: secret-value-must-match-label policy: base64
resource: base64-test-match resources:
kind: Secret - base64-test-match
status: pass result: pass
- policy: base64 rule: secret-value-must-match-label
rule: secret-value-must-match-label - kind: Secret
resource: base64-test-no-match policy: base64
kind: Secret resources:
status: fail - base64-test-no-match
- policy: pattern-match result: fail
rule: label-must-match-pattern rule: secret-value-must-match-label
resource: pattern-match-test-match - kind: Namespace
kind: Namespace policy: pattern-match
status: pass resources:
- policy: pattern-match - pattern-match-test-match
rule: label-must-match-pattern result: pass
resource: pattern-match-test-no-match rule: label-must-match-pattern
kind: Namespace - kind: Namespace
status: fail policy: pattern-match
- policy: path-canonicalize resources:
rule: disallow-mount-containerd-sock - pattern-match-test-no-match
resource: mount-containerd-sock result: fail
kind: Pod rule: label-must-match-pattern
status: fail - kind: Pod
- policy: test-parse-json policy: path-canonicalize
rule: test-json-parsing-jmespath resources:
resource: valid-test - mount-containerd-sock
kind: ConfigMap result: fail
result: pass rule: disallow-mount-containerd-sock
- policy: test-parse-json - kind: ConfigMap
rule: test-json-parsing-jmespath policy: test-parse-json
resource: invalid-test resources:
kind: ConfigMap - valid-test
result: fail result: pass
- policy: test-parse-yaml rule: test-json-parsing-jmespath
rule: test-yaml-parsing-jmespath - kind: ConfigMap
resource: valid-yaml-test policy: test-parse-json
kind: ConfigMap resources:
result: pass - invalid-test
- policy: test-parse-yaml result: fail
rule: test-yaml-parsing-jmespath rule: test-json-parsing-jmespath
resource: invalid-yaml-test - kind: ConfigMap
kind: ConfigMap policy: test-parse-yaml
result: fail resources:
- policy: test-parse-yaml-array - valid-yaml-test
rule: test-yaml-parsing-jmespath result: pass
resource: valid-yaml-test rule: test-yaml-parsing-jmespath
kind: ConfigMap - kind: ConfigMap
result: pass policy: test-parse-yaml
- policy: test-parse-yaml-array resources:
rule: test-yaml-parsing-jmespath - invalid-yaml-test
resource: invalid-yaml-test result: fail
kind: ConfigMap rule: test-yaml-parsing-jmespath
result: fail - kind: ConfigMap
- policy: test-x509-decode policy: test-parse-yaml-array
rule: test-x509-decode resources:
resource: test-x509-configmap - valid-yaml-test
kind: ConfigMap result: pass
result: fail rule: test-yaml-parsing-jmespath
- kind: ConfigMap
policy: test-parse-yaml-array
resources:
- invalid-yaml-test
result: fail
rule: test-yaml-parsing-jmespath
- kind: ConfigMap
policy: test-x509-decode
resources:
- test-x509-configmap
result: fail
rule: test-x509-decode

View file

@ -1,16 +1,18 @@
name: psp-check-supplemental-groups name: psp-check-supplemental-groups
policies: policies:
- check-supplemental-groups.yaml - check-supplemental-groups.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: psp-check-supplemental-groups - kind: Pod
rule: supplementalgroup-ranges policy: psp-check-supplemental-groups
resource: badpod01 resources:
kind: Pod - badpod01
result: fail result: fail
- policy: psp-check-supplemental-groups rule: supplementalgroup-ranges
rule: supplementalgroup-ranges - kind: Pod
resource: goodpod01 policy: psp-check-supplemental-groups
kind: Pod resources:
result: pass - goodpod01
result: pass
rule: supplementalgroup-ranges

View file

@ -1,16 +1,18 @@
name: test-simple name: test-simple
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: check-deprecated-api - kind: CronJob
rule: validate-v1-25-removal policy: check-deprecated-api
resource: hello resources:
kind: CronJob - hello
status: skip result: skip
- policy: check-deprecated-api rule: validate-v1-25-removal
rule: validate-v1-25-removal - kind: CronJob
resource: hello-fail policy: check-deprecated-api
kind: CronJob resources:
status: warn - hello-fail
result: warn
rule: validate-v1-25-removal

View file

@ -1,30 +1,40 @@
name: deny-exec-by-pod-label name: deny-exec-by-pod-label
policies: policies:
- deny-exec-by-pod-label.yaml - deny-exec-by-pod-label.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: deny-exec-by-pod-label - kind: PodExecOptions
rule: deny-exec-by-label namespace: default
resource: execpod policy: deny-exec-by-pod-label
namespace: default resources:
kind: PodExecOptions - execpod
result: fail result: fail
rule: deny-exec-by-label
values: values:
policies:
- name: deny-exec-by-pod-label
rules:
- name: deny-exec-by-label
values:
podexeclabel: "false"
globalValues: globalValues:
request.operation: CONNECT request.operation: CONNECT
namespaceSelector: null
policies:
- name: deny-exec-by-pod-label
resources: null
rules:
- foreachValues: null
name: deny-exec-by-label
values:
podexeclabel: "false"
subresources: subresources:
- subresource: - parentResource:
name: "pods/exec" kind: Pod
kind: "PodExecOptions" name: pods
version: "v1" namespaced: false
parentResource: singularName: ""
name: "pods" verbs: null
kind: "Pod" version: v1
version: "v1" subresource:
kind: PodExecOptions
name: pods/exec
namespaced: false
singularName: ""
verbs: null
version: v1

View file

@ -1,16 +1,18 @@
name: test-foreach-precondition name: test-foreach-precondition
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: enforce-limits-fraction - kind: Pod
rule: check-memory-requests-limits policy: enforce-limits-fraction
resource: frontend1 resources:
kind: Pod - frontend1
status: fail result: fail
- policy: enforce-limits-fraction rule: check-memory-requests-limits
rule: check-memory-requests-limits - kind: Pod
resource: frontend2 policy: enforce-limits-fraction
kind: Pod resources:
status: pass - frontend2
result: pass
rule: check-memory-requests-limits

View file

@ -1,56 +1,66 @@
name: test-foreach name: test-foreach
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: validate-empty-dir-mountpath - kind: Pod
rule: check-mount-paths policy: validate-empty-dir-mountpath
resource: test-pod resources:
kind: Pod - test-pod
status: pass result: pass
- policy: validate-empty-dir-mountpath rule: check-mount-paths
rule: check-mount-paths - kind: Pod
resource: test-pod2 policy: validate-empty-dir-mountpath
kind: Pod resources:
status: pass - test-pod2
- policy: validate-empty-dir-resources result: pass
rule: check-resources rule: check-mount-paths
resource: test-pod-bad-mount - kind: Pod
kind: Pod policy: validate-empty-dir-resources
status: fail resources:
- policy: validate-empty-dir-resources - test-pod-bad-mount
rule: check-resources result: fail
resource: test-pod rule: check-resources
kind: Pod - kind: Pod
status: fail policy: validate-empty-dir-resources
- policy: validate-empty-dir-resources resources:
rule: check-resources - test-pod
resource: test-pod-with-resources result: fail
kind: Pod rule: check-resources
status: pass - kind: Pod
- policy: validate-empty-dir-resources policy: validate-empty-dir-resources
rule: check-resources resources:
resource: test-pod-with-gke-vol - test-pod-with-resources
kind: Pod result: pass
status: skip rule: check-resources
- policy: validate-empty-dir-resources - kind: Pod
rule: check-resources policy: validate-empty-dir-resources
resource: test-pod-with-resources-multiple-ctnrs resources:
kind: Pod - test-pod-with-gke-vol
status: pass result: skip
- policy: validate-image-list rule: check-resources
rule: check-image - kind: Pod
resource: test-pod policy: validate-empty-dir-resources
kind: Pod resources:
status: fail - test-pod-with-resources-multiple-ctnrs
- policy: validate-image-list result: pass
rule: check-image rule: check-resources
resource: test-pod-ghcr - kind: Pod
kind: Pod policy: validate-image-list
status: fail resources:
- policy: validate-image-list-error - test-pod
rule: check-image result: fail
resource: test-pod-ghcr rule: check-image
kind: Pod - kind: Pod
status: error policy: validate-image-list
resources:
- test-pod-ghcr
result: fail
rule: check-image
- kind: Pod
policy: validate-image-list-error
resources:
- test-pod-ghcr
result: error
rule: check-image

View file

@ -1,18 +1,20 @@
name: test-image-digest name: test-image-digest
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: require-image-digest - kind: Pod
rule: check-digest namespace: test
resource: no-digest policy: require-image-digest
kind: Pod resources:
namespace: test - no-digest
status: fail result: fail
- policy: require-image-digest rule: check-digest
rule: check-digest - kind: Pod
resource: with-digest namespace: test
kind: Pod policy: require-image-digest
namespace: test resources:
status: pass - with-digest
result: pass
rule: check-digest

View file

@ -1,11 +1,12 @@
name: test-image-enforce-signatures name: test-image-enforce-signatures
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: secure-images - kind: Pod
rule: enforce-signatures policy: secure-images
resource: tomcat resources:
kind: Pod - tomcat
status: fail result: fail
rule: enforce-signatures

View file

@ -1,16 +1,18 @@
name: test-image-signature name: test-image-signature
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: verify-signature - kind: Pod
rule: check-static-key policy: verify-signature
resource: signed resources:
kind: Pod - signed
status: pass result: pass
- policy: verify-signature rule: check-static-key
rule: check-static-key - kind: Pod
resource: unsigned policy: verify-signature
kind: Pod resources:
status: fail - unsigned
result: fail
rule: check-static-key

View file

@ -1,26 +1,30 @@
name: test-image-verify-signature name: test-image-verify-signature
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: check-image - kind: Pod
rule: verify-signature policy: check-image
resource: signed resources:
kind: Pod - signed
status: pass result: pass
- policy: check-image rule: verify-signature
rule: verify-signature - kind: Pod
resource: unsigned policy: check-image
kind: Pod resources:
status: fail - unsigned
- policy: check-data-volume-image result: fail
rule: verify-signature rule: verify-signature
resource: signed-registry-image-datavolume - kind: DataVolume
kind: DataVolume policy: check-data-volume-image
status: pass resources:
- policy: check-data-volume-image - signed-registry-image-datavolume
rule: verify-signature result: pass
resource: unsigned-registry-image-datavolume rule: verify-signature
kind: DataVolume - kind: DataVolume
status: fail policy: check-data-volume-image
resources:
- unsigned-registry-image-datavolume
result: fail
rule: verify-signature

View file

@ -1,36 +1,42 @@
name: test-preconditions name: test-preconditions
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: test-jmespath - kind: Pod
rule: test-jmespath policy: test-jmespath
resource: test-valid1 resources:
kind: Pod - test-valid1
status: pass result: pass
- policy: test-jmespath rule: test-jmespath
rule: test-jmespath - kind: Pod
resource: test-valid2 policy: test-jmespath
kind: Pod resources:
status: pass - test-valid2
- policy: test-jmespath result: pass
rule: test-jmespath rule: test-jmespath
resource: test-valid3 - kind: Pod
kind: Pod policy: test-jmespath
status: pass resources:
- policy: test-jmespath - test-valid3
rule: test-jmespath result: pass
resource: test-invalid rule: test-jmespath
kind: Pod - kind: Pod
status: fail policy: test-jmespath
- policy: namespace-validation resources:
rule: namespace-validation - test-invalid
resource: test-invalid result: fail
kind: Namespace rule: test-jmespath
status: fail - kind: Namespace
- policy: namespace-validation policy: namespace-validation
rule: namespace-validation resources:
resource: test-valid - test-invalid
kind: Namespace result: fail
status: pass rule: namespace-validation
- kind: Namespace
policy: namespace-validation
resources:
- test-valid
result: pass
rule: namespace-validation

View file

@ -1,19 +1,21 @@
name: limit-configmap-for-sa name: limit-configmap-for-sa
policies: policies:
- limit_configmap_for_sa.yaml - limit_configmap_for_sa.yaml
resources: resources:
- resource.yaml - resource.yaml
variables: variables.yaml
userinfo: user_info.yaml
results: results:
- policy: limit-configmap-for-sa - kind: ConfigMap
rule: limit-configmap-for-sa-developer namespace: any-namespace
resource: any-configmap-name-good policy: limit-configmap-for-sa
kind: ConfigMap resources:
namespace: any-namespace - any-configmap-name-good
result: fail result: fail
- policy: limit-configmap-for-sa rule: limit-configmap-for-sa-developer
rule: limit-configmap-for-sa-developer - kind: ConfigMap
resource: any-configmap-name-bad policy: limit-configmap-for-sa
kind: ConfigMap resources:
result: skip - any-configmap-name-bad
result: skip
rule: limit-configmap-for-sa-developer
userinfo: user_info.yaml
variables: variables.yaml

View file

@ -1,21 +1,24 @@
name: yaml-verification name: yaml-verification
policies: policies:
- policies.yaml - policies.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: validate-yaml - kind: Service
rule: validate-yaml policy: validate-yaml
resource: test-service # no signature resources:
kind: Service - test-service
result: fail result: fail
- policy: validate-yaml rule: validate-yaml
rule: validate-yaml - kind: Service
resource: test-service2 # one signature policy: validate-yaml
kind: Service resources:
result: pass - test-service2
- policy: validate-yaml result: pass
rule: validate-yaml-multi-sig rule: validate-yaml
resource: test-service3 # multi signature - kind: Service
kind: Service policy: validate-yaml
result: pass resources:
- test-service3
result: pass
rule: validate-yaml-multi-sig

View file

@ -1,32 +1,36 @@
name: ondemand name: ondemand
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: ondemand - kind: Pod
rule: ondemand-nodeselector namespace: user-space
resource: nodeselector-with-labels-on-mutation patchedResource: patched-resource.yaml
patchedResource: patched-resource.yaml policy: ondemand
namespace: user-space resources:
kind: Pod - nodeselector-with-labels-on-mutation
result: pass result: pass
- policy: ondemand rule: ondemand-nodeselector
rule: ondemand-managed_by - kind: Pod
resource: nodeselector-with-labels-on-mutation namespace: user-space
namespace: user-space policy: ondemand
kind: Pod resources:
result: pass - nodeselector-with-labels-on-mutation
- policy: ondemand result: pass
rule: ondemand-nodeselector rule: ondemand-managed_by
resource: nodeselector-without-labels-on-mutation - kind: Pod
patchedResource: patched-resource1.yaml namespace: user-foo
namespace: user-foo patchedResource: patched-resource1.yaml
kind: Pod policy: ondemand
result: skip resources:
- policy: ondemand - nodeselector-without-labels-on-mutation
rule: ondemand-managed_by result: skip
resource: nodeselector-without-labels-on-mutation rule: ondemand-nodeselector
namespace: user-foo - kind: Pod
kind: Pod namespace: user-foo
result: fail policy: ondemand
resources:
- nodeselector-without-labels-on-mutation
result: fail
rule: ondemand-managed_by

View file

@ -1,17 +1,18 @@
name: test-simple name: test-simple
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: test-multiple-key - kind: Pod
rule: test-multiple-key policy: test-multiple-key
resource: test-resource-pass resources:
kind: Pod - test-resource-pass
status: pass result: pass
- policy: test-multiple-key rule: test-multiple-key
rule: test-multiple-key - kind: Pod
resource: test-resource-fail policy: test-multiple-key
kind: Pod resources:
status: fail - test-resource-fail
result: fail
rule: test-multiple-key

View file

@ -1,17 +1,17 @@
name: exclude-namespaces-example name: exclude-namespaces-example
policies: policies:
- exclude_namespaces_dynamically.yaml - exclude_namespaces_dynamically.yaml
resources: resources:
- resource.yaml - resource.yaml
variables: values.yaml
results: results:
- policy: exclude-namespaces-example - kind: Pod
rule: exclude-namespaces-dynamically policy: exclude-namespaces-example
resource: bad-pod01 resource: bad-pod01
kind: Pod result: pass
result: pass rule: exclude-namespaces-dynamically
- policy: exclude-namespaces-example - kind: Pod
rule: exclude-namespaces-dynamically policy: exclude-namespaces-example
resource: bad-pod02 resource: bad-pod02
kind: Pod result: error
result: error rule: exclude-namespaces-dynamically
variables: values.yaml

View file

@ -1,16 +1,18 @@
name: limit-duration name: limit-duration
policies: policies:
- limit-duration.yaml - limit-duration.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: cert-manager-limit-duration - kind: Certificate
rule: certificate-duration-max-100days policy: cert-manager-limit-duration
resource: letsencrypt-crt resources:
kind: Certificate - letsencrypt-crt
result: skip result: skip
- policy: cert-manager-limit-duration rule: certificate-duration-max-100days
rule: certificate-duration-max-100days - kind: Certificate
resource: acme-crt policy: cert-manager-limit-duration
kind: Certificate resources:
result: error - acme-crt
result: error
rule: certificate-duration-max-100days

View file

@ -1,11 +1,12 @@
name: check-kernel name: check-kernel
policies: policies:
- check_node_for_cve_2022_0185.yaml - check_node_for_cve_2022_0185.yaml
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: check-kernel - kind: Node
policy: check-kernel
resources:
- test-check-kernel-version
result: pass
rule: kernel-validate rule: kernel-validate
resource: test-check-kernel-version
kind: Node
result: pass

View file

@ -4,18 +4,21 @@ policies:
resources: resources:
- resource.yaml - resource.yaml
results: results:
- policy: require-pod-probes - kind: Pod
rule: require-pod-probes policy: require-pod-probes
resource: pod-fail resources:
kind: Pod - pod-fail
result: fail result: fail
- policy: require-pod-probes
rule: require-pod-probes rule: require-pod-probes
resource: deployment-skip - kind: Deployment
kind: Deployment policy: require-pod-probes
resources:
- deployment-skip
result: skip
rule: require-pod-probes
- kind: CronJob
policy: require-pod-probes
resources:
- cronjob-skip
result: skip result: skip
- policy: require-pod-probes
rule: require-pod-probes rule: require-pod-probes
resource: cronjob-skip
kind: CronJob
result: skip

View file

@ -1,17 +1,19 @@
name: disallow-naked-pods name: disallow-naked-pods
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
variables: values.yaml
results: results:
- policy: disallow-naked-pods - kind: Pod
rule: validate-naked-pods policy: disallow-naked-pods
resource: blank-skip resources:
kind: Pod - blank-skip
result: skip result: skip
- policy: disallow-naked-pods
rule: validate-naked-pods rule: validate-naked-pods
resource: blank-fail - kind: Pod
kind: Pod policy: disallow-naked-pods
resources:
- blank-fail
result: fail result: fail
rule: validate-naked-pods
variables: values.yaml

View file

@ -1,16 +1,18 @@
name: test-preconditions name: test-preconditions
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: preconditions - kind: Pod
rule: any-rule policy: preconditions
resource: test-valid resources:
kind: Pod - test-valid
status: pass result: pass
- policy: preconditions rule: any-rule
rule: any-rule - kind: Pod
resource: test-invalid policy: preconditions
kind: Pod resources:
status: fail - test-invalid
result: fail
rule: any-rule

View file

@ -1,27 +1,31 @@
name: unique-ingress-host name: unique-ingress-host
policies: policies:
- restrict_ingress_host.yaml - restrict_ingress_host.yaml
resources: resources:
- resource.yaml - resource.yaml
variables: values.yaml
results: results:
- policy: unique-ingress-host - kind: Ingress
rule: check-single-host policy: unique-ingress-host
resource: ingress-kyverno-host resources:
kind: Ingress - ingress-kyverno-host
result: fail result: fail
- policy: unique-ingress-host rule: check-single-host
rule: check-single-host - kind: Ingress
resource: ingress-foo-host policy: unique-ingress-host
kind: Ingress resources:
result: skip - ingress-foo-host
- policy: unique-ingress-host result: skip
rule: deny-multiple-hosts rule: check-single-host
resource: ingress-kyverno-host - kind: Ingress
kind: Ingress policy: unique-ingress-host
result: skip resources:
- policy: unique-ingress-host - ingress-kyverno-host
rule: deny-multiple-hosts result: skip
resource: ingress-foo-host rule: deny-multiple-hosts
kind: Ingress - kind: Ingress
result: fail policy: unique-ingress-host
resources:
- ingress-foo-host
result: fail
rule: deny-multiple-hosts
variables: values.yaml

View file

@ -1,13 +1,14 @@
name: enforce-replicas-for-scale-subresource name: enforce-replicas-for-scale-subresource
policies: policies:
- enforce-replicas-for-scale-subresource.yml - enforce-replicas-for-scale-subresource.yml
resources: resources:
- resource.yaml - resource.yaml
variables: values.yaml
results: results:
- policy: enforce-replicas-for-scale-subresource - kind: Scale
rule: validate-nginx-test namespace: default
resource: nginx-test policy: enforce-replicas-for-scale-subresource
namespace: default resources:
kind: Scale - nginx-test
result: fail result: fail
rule: validate-nginx-test
variables: values.yaml

View file

@ -1,18 +1,20 @@
name: add-maintainer name: add-maintainer
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: add-maintainer - kind: Secret
rule: add-maintainer patchedResource: patched-resource.yaml
resource: example policy: add-maintainer
patchedResource: patched-resource.yaml resources:
kind: Secret - example
result: pass result: pass
- policy: add-maintainer rule: add-maintainer
rule: add-maintainer - kind: Secret
resource: secrete-fail-example patchedResource: patched-resource1.yaml
patchedResource: patched-resource1.yaml policy: add-maintainer
kind: Secret resources:
result: fail - secrete-fail-example
result: fail
rule: add-maintainer

View file

@ -1,95 +1,94 @@
name: test-simple name: test-simple
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
variables: values.yaml
results: results:
- policy: disallow-latest-tag - kind: Pod
rule: require-image-tag namespace: test
resource: test-require-image-tag-pass policy: disallow-latest-tag
kind: Pod resource: test-require-image-tag-pass
namespace: test result: pass
status: pass rule: require-image-tag
- policy: disallow-latest-tag - kind: Pod
rule: require-image-tag namespace: test
resource: test-require-image-tag-fail policy: disallow-latest-tag
kind: Pod resource: test-require-image-tag-fail
namespace: test result: fail
status: fail rule: require-image-tag
- policy: disallow-latest-tag - kind: Pod
rule: validate-image-tag policy: disallow-latest-tag
resource: test-validate-image-tag-ignore resource: test-validate-image-tag-ignore
kind: Pod result: skip
status: skip rule: validate-image-tag
- policy: disallow-latest-tag - kind: Pod
rule: validate-image-tag namespace: test
resource: test-validate-image-tag-fail policy: disallow-latest-tag
namespace: test resource: test-validate-image-tag-fail
kind: Pod result: fail
status: fail rule: validate-image-tag
- policy: disallow-latest-tag - kind: Pod
rule: validate-image-tag namespace: test
resource: test-validate-image-tag-pass policy: disallow-latest-tag
kind: Pod resource: test-validate-image-tag-pass
namespace: test result: pass
status: pass rule: validate-image-tag
- policy: duration-test - kind: Pod
rule: greater-than namespace: test
resource: test-lifetime-fail policy: duration-test
kind: Pod resource: test-lifetime-fail
namespace: test result: fail
status: fail rule: greater-than
- policy: duration-test - kind: Pod
rule: less-than namespace: test
resource: test-lifetime-fail policy: duration-test
kind: Pod resource: test-lifetime-fail
namespace: test result: pass
status: pass rule: less-than
- policy: duration-test - kind: Pod
rule: greater-equal-than namespace: test
resource: test-lifetime-fail policy: duration-test
kind: Pod resource: test-lifetime-fail
namespace: test result: fail
status: fail rule: greater-equal-than
- policy: duration-test - kind: Pod
rule: less-equal-than namespace: test
resource: test-lifetime-fail policy: duration-test
kind: Pod resource: test-lifetime-fail
namespace: test result: pass
status: pass rule: less-equal-than
- kind: Pod
- policy: restrict-pod-counts policy: restrict-pod-counts
rule: restrict-pod-count resource: myapp-pod
resource: myapp-pod result: fail
kind: Pod rule: restrict-pod-count
status: fail - kind: Pod
- policy: restrict-pod-counts namespace: test
rule: restrict-pod-count policy: restrict-pod-counts
resource: test-require-image-tag-pass resource: test-require-image-tag-pass
kind: Pod result: fail
namespace: test rule: restrict-pod-count
status: fail - kind: Pod
- policy: restrict-pod-counts namespace: test
rule: restrict-pod-count policy: restrict-pod-counts
resource: test-require-image-tag-fail resource: test-require-image-tag-fail
kind: Pod result: fail
namespace: test rule: restrict-pod-count
status: fail - kind: Pod
- policy: restrict-pod-counts policy: restrict-pod-counts
rule: restrict-pod-count resource: test-validate-image-tag-ignore
resource: test-validate-image-tag-ignore result: fail
kind: Pod rule: restrict-pod-count
status: fail - kind: Pod
- policy: restrict-pod-counts namespace: test
rule: restrict-pod-count policy: restrict-pod-counts
resource: test-validate-image-tag-fail resource: test-validate-image-tag-fail
kind: Pod result: fail
namespace: test rule: restrict-pod-count
status: fail - kind: Pod
- policy: restrict-pod-counts namespace: test
rule: restrict-pod-count policy: restrict-pod-counts
resource: test-validate-image-tag-pass resource: test-validate-image-tag-pass
kind: Pod result: fail
namespace: test rule: restrict-pod-count
status: fail variables: values.yaml

View file

@ -1,12 +1,13 @@
name: chained-variables name: chained-variables
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resource.yaml - resource.yaml
variables: variables.yaml
results: results:
- policy: deny-something - kind: Pod
policy: deny-something
resources:
- valid-pod
result: pass
rule: deny-everything rule: deny-everything
resource: valid-pod variables: variables.yaml
kind: Pod
result: pass

View file

@ -1,77 +1,90 @@
name: test-variables name: test-variables
policies: policies:
- cm-variable-example.yaml - cm-variable-example.yaml
- cm-multiple-example.yaml - cm-multiple-example.yaml
- cm-array-example.yaml - cm-array-example.yaml
- cm-blk-scalar-example.yaml - cm-blk-scalar-example.yaml
- cm-globalval-example.yaml - cm-globalval-example.yaml
- image-example.yaml - image-example.yaml
resources: resources:
- resources.yaml - resources.yaml
variables: variables.yaml
results: results:
- policy: cm-multiple-example - kind: Pod
rule: example-configmap-lookup policy: cm-multiple-example
resource: test-env-test resources:
kind: Pod - test-env-test
result: pass result: pass
- policy: cm-multiple-example rule: example-configmap-lookup
rule: example-configmap-lookup - kind: Pod
resource: test-env-dev policy: cm-multiple-example
kind: Pod resources:
result: fail - test-env-dev
- policy: cm-variable-example result: fail
rule: example-configmap-lookup rule: example-configmap-lookup
resource: test-env-test - kind: Pod
kind: Pod policy: cm-variable-example
result: pass resources:
- policy: cm-variable-example - test-env-test
rule: example-configmap-lookup result: pass
resource: test-env-dev rule: example-configmap-lookup
kind: Pod - kind: Pod
result: fail policy: cm-variable-example
- policy: cm-array-example resources:
rule: validate-role-annotation - test-env-dev
resource: test-web result: fail
kind: Pod rule: example-configmap-lookup
result: fail - kind: Pod
- policy: cm-array-example policy: cm-array-example
rule: validate-role-annotation resources:
resource: test-app - test-web
kind: Pod result: fail
result: pass rule: validate-role-annotation
- policy: cm-blk-scalar-example - kind: Pod
rule: validate-blk-role-annotation policy: cm-array-example
resource: test-blk-web resources:
kind: Pod - test-app
result: fail result: pass
- policy: cm-blk-scalar-example rule: validate-role-annotation
rule: validate-blk-role-annotation - kind: Pod
resource: test-blk-app policy: cm-blk-scalar-example
kind: Pod resources:
result: pass - test-blk-web
- policy: cm-globalval-example result: fail
rule: validate-mode rule: validate-blk-role-annotation
resource: test-global-dev - kind: Pod
kind: Pod policy: cm-blk-scalar-example
result: pass resources:
- policy: cm-globalval-example - test-blk-app
rule: validate-mode result: pass
resource: test-global-prod rule: validate-blk-role-annotation
kind: Pod - kind: Pod
result: fail policy: cm-globalval-example
- policy: images resources:
rule: only-allow-trusted-images - test-global-dev
resource: test-pod-with-non-root-user-image result: pass
kind: Pod rule: validate-mode
status: pass - kind: Pod
- policy: images policy: cm-globalval-example
rule: only-allow-trusted-images resources:
resource: test-pod-with-trusted-registry - test-global-prod
kind: Pod result: fail
status: pass rule: validate-mode
- policy: images - kind: Pod
rule: only-allow-trusted-images policy: images
resource: test-pod-with-non-trusted-registry resources:
kind: Pod - test-pod-with-non-root-user-image
status: fail result: pass
rule: only-allow-trusted-images
- kind: Pod
policy: images
resources:
- test-pod-with-trusted-registry
result: pass
rule: only-allow-trusted-images
- kind: Pod
policy: images
resources:
- test-pod-with-non-trusted-registry
result: fail
rule: only-allow-trusted-images
variables: variables.yaml

View file

@ -1,31 +1,36 @@
name: wildcard-support-in-matchlabels name: wildcard-support-in-matchlabels
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: wildcard-support-in-matchlabels - kind: Pod
rule: wildcard-label policy: wildcard-support-in-matchlabels
resource: my-service-1 resources:
kind: Pod - my-service-1
result: pass result: pass
- policy: wildcard-support-in-matchlabels rule: wildcard-label
rule: label-end-with-test - kind: Pod
resource: my-service-2 policy: wildcard-support-in-matchlabels
kind: Pod resources:
result: pass - my-service-2
- policy: wildcard-support-in-matchlabels result: pass
rule: label-end-with-test rule: label-end-with-test
resource: my-service-3 - kind: Pod
kind: Pod policy: wildcard-support-in-matchlabels
result: skip resources:
- policy: wildcard-support-in-matchlabels - my-service-3
rule: label-start-with-test result: skip
resource: my-service-4 rule: label-end-with-test
kind: Pod - kind: Pod
result: pass policy: wildcard-support-in-matchlabels
- policy: wildcard-support-in-matchlabels resources:
rule: label-start-with-test - my-service-4
resource: my-service-5 result: pass
kind: Pod rule: label-start-with-test
result: skip - kind: Pod
policy: wildcard-support-in-matchlabels
resources:
- my-service-5
result: skip
rule: label-start-with-test

View file

@ -1,18 +1,20 @@
name: wildcard-support-in-matchlabels name: wildcard-support-in-matchlabels
policies: policies:
- policy.yaml - policy.yaml
resources: resources:
- resources.yaml - resources.yaml
results: results:
- policy: mutate-wildcard - kind: Pod
rule: mutate-wildcard patchedResource: patchedResource.yaml
resource: wildcard-mutate policy: mutate-wildcard
patchedResource: patchedResource.yaml resources:
kind: Pod - wildcard-mutate
result: pass result: pass
- policy: mutate-wildcard rule: mutate-wildcard
rule: mutate-wildcard - kind: Pod
resource: wildcard-mutate-fail patchedResource: patchedResource1.yaml
patchedResource: patchedResource1.yaml policy: mutate-wildcard
kind: Pod resources:
result: fail - wildcard-mutate-fail
result: fail
rule: mutate-wildcard