mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: add fix test cli command (#8213)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-01 17:50:11 +02:00 committed by GitHub
parent deb200dfd6
commit 9f108b11cd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
71 changed files with 1644 additions and 1217 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
cmd/cli/kubectl-kyverno/docs/docs.go → cmd/cli/kubectl-kyverno/docs/command.go
View file

21
cmd/cli/kubectl-kyverno/fix/command.go Normal file
View file

@ -0,0 +1,21 @@
package fix
import (
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix/test"
"github.com/spf13/cobra"
)
func Command() *cobra.Command {
cmd := &cobra.Command{
Use: "fix",
Short: "Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.",
Example: "",
RunE: func(cmd *cobra.Command, args []string) error {
return cmd.Help()
},
}
cmd.AddCommand(
test.Command(),
)
return cmd
}

95
cmd/cli/kubectl-kyverno/fix/test/command.go Normal file
View file

@ -0,0 +1,95 @@
package test
import (
"fmt"
"os"
"path/filepath"
"github.com/spf13/cobra"
"sigs.k8s.io/yaml"
)
func Command() *cobra.Command {
var fileName string
var save bool
cmd := &cobra.Command{
Use: "test",
Short: "Fix inconsistencies and deprecated usage in Kyverno test files.",
Example: "",
RunE: func(cmd *cobra.Command, args []string) error {
var testCases []testCase
for _, arg := range args {
tests, err := loadTests(arg, fileName)
if err != nil {
return err
}
testCases = append(testCases, tests...)
}
for _, testCase := range testCases {
fmt.Printf("Processing test file (%s)...", testCase.path)
fmt.Println()
if testCase.err != nil {
fmt.Printf(" ERROR: loading test file (%s): %s", testCase.path, testCase.err)
fmt.Println()
continue
}
test := testCase.test
needsSave := false
if test.Name == "" {
fmt.Println(" WARNING: name is not set")
test.Name = filepath.Base(testCase.path)
needsSave = true
}
if len(test.Policies) == 0 {
fmt.Println(" WARNING: test has no policies")
}
if len(test.Resources) == 0 {
fmt.Println(" WARNING: test has no policies")
}
for i := range test.Results {
result := &test.Results[i]
if result.Resource != "" && len(result.Resources) != 0 {
fmt.Println(" WARNING: test result should not use both `resource` and `resources` fields")
}
if result.Resource != "" {
fmt.Println(" WARNING: test result uses deprecated `resource` field, moving it into the `resources` field")
result.Resources = append(result.Resources, result.Resource)
result.Resource = ""
needsSave = true
}
if result.Status != "" && result.Result != "" {
fmt.Println(" ERROR: test result should not use both `status` and `result` fields")
}
if result.Status != "" && result.Result == "" {
fmt.Println(" WARNING: test result uses deprecated `status` field, moving it into the `result` field")
result.Result = result.Status
result.Status = ""
needsSave = true
}
}
if save && needsSave {
fmt.Printf(" Saving test file (%s)...", testCase.path)
fmt.Println()
yamlBytes, err := yaml.Marshal(test)
if err != nil {
fmt.Printf(" ERROR: converting test to yaml: %s", err)
fmt.Println()
continue
}
if err := os.WriteFile(testCase.path, yamlBytes, os.ModePerm); err != nil {
fmt.Printf(" ERROR: saving test file (%s): %s", testCase.path, err)
fmt.Println()
continue
}
fmt.Println(" OK")
}
fmt.Println()
}
fmt.Println("Done.")
return nil
},
}
cmd.Flags().StringVarP(&fileName, "file-name", "f", "kyverno-test.yaml", "Test filename")
cmd.Flags().BoolVar(&save, "save", false, "Save fixed file")
return cmd
}

61
cmd/cli/kubectl-kyverno/fix/test/load.go Normal file
View file

@ -0,0 +1,61 @@
package test
import (
"os"
"path/filepath"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
"k8s.io/apimachinery/pkg/util/yaml"
)
type testCase struct {
path string
test *api.Test
err error
}
func loadTests(dirPath string, fileName string) ([]testCase, error) {
return loadLocalTest(filepath.Clean(dirPath), fileName)
}
func loadLocalTest(path string, fileName string) ([]testCase, error) {
var tests []testCase
files, err := os.ReadDir(path)
if err != nil {
return nil, err
}
for _, file := range files {
if file.IsDir() {
ps, err := loadLocalTest(filepath.Join(path, file.Name()), fileName)
if err != nil {
return nil, err
}
tests = append(tests, ps...)
} else if file.Name() == fileName {
tests = append(tests, loadTest(path, file.Name()))
}
}
return tests, nil
}
func loadTest(dirPath string, fileName string) testCase {
path := filepath.Join(dirPath, fileName)
yamlBytes, err := os.ReadFile(path) // #nosec G304
if err != nil {
return testCase{
path: path,
err: err,
}
}
var test api.Test
if err := yaml.UnmarshalStrict(yamlBytes, &test); err != nil {
return testCase{
path: path,
err: err,
}
}
return testCase{
path: path,
test: &test,
}
}

6
cmd/cli/kubectl-kyverno/main.go
View file

@ -9,6 +9,7 @@ import (
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apply"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/create"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/docs"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/jp"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/oci"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test"
@ -58,6 +59,9 @@ func registerCommands(cli *cobra.Command) {
version.Command(),
)
if enableExperimental() {
cli.AddCommand(oci.Command())
cli.AddCommand(
fix.Command(),
oci.Command(),
)
}
}

26
cmd/cli/kubectl-kyverno/test/api/types.go
View file

@ -10,10 +10,10 @@ type Test struct {
Name string `json:"name"`
Policies []string `json:"policies"`
Resources []string `json:"resources"`
Variables string `json:"variables"`
UserInfo string `json:"userinfo"`
Variables string `json:"variables,omitempty"`
UserInfo string `json:"userinfo,omitempty"`
Results []TestResults `json:"results"`
Values *Values `json:"values"`
Values *Values `json:"values,omitempty"`
}
type TestResults struct {
@ -26,33 +26,33 @@ type TestResults struct {
// IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
// It's required in case policy is a validating admission policy.
// +optional
IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy"`
IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy,omitempty"`
// Result mentions the result that the user is expecting.
// Possible values are pass, fail and skip.
Result policyreportv1alpha2.PolicyResult `json:"result"`
// Status mentions the status that the user is expecting.
// Possible values are pass, fail and skip.
Status policyreportv1alpha2.PolicyResult `json:"status"`
Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"`
// Resource mentions the name of the resource on which the policy is to be applied.
Resource string `json:"resource"`
Resource string `json:"resource,omitempty"`
// Resources gives us the list of resources on which the policy is going to be applied.
Resources []string `json:"resources"`
// Kind mentions the kind of the resource on which the policy is to be applied.
Kind string `json:"kind"`
// Namespace mentions the namespace of the policy which has namespace scope.
Namespace string `json:"namespace"`
Namespace string `json:"namespace,omitempty"`
// PatchedResource takes a resource configuration file in yaml format from
// the user to compare it against the Kyverno mutated resource configuration.
PatchedResource string `json:"patchedResource"`
// AutoGeneratedRule is internally set by the CLI command. It takes values either
// autogen or autogen-cronjob.
AutoGeneratedRule string `json:"auto_generated_rule"`
PatchedResource string `json:"patchedResource,omitempty"`
// GeneratedResource takes a resource configuration file in yaml format from
// the user to compare it against the Kyverno generated resource configuration.
GeneratedResource string `json:"generatedResource"`
GeneratedResource string `json:"generatedResource,omitempty"`
// CloneSourceResource takes the resource configuration file in yaml format
// from the user which is meant to be cloned by the generate rule.
CloneSourceResource string `json:"cloneSourceResource"`
CloneSourceResource string `json:"cloneSourceResource,omitempty"`
// AutoGeneratedRule is internally set by the CLI command. It takes values either
// autogen or autogen-cronjob.
AutoGeneratedRule string `json:"auto_generated_rule,omitempty"`
}
type ReportResult struct {

1
docs/user/cli/kyverno.md
View file

@ -31,6 +31,7 @@ To enable experimental commands, KYVERNO_EXPERIMENTAL should be configured with
* [kyverno completion](kyverno_completion.md) - Generate the autocompletion script for the specified shell
* [kyverno create](kyverno_create.md) - Provides a command-line interface to help with the creation of various Kyverno resources.
* [kyverno docs](kyverno_docs.md) - Generates documentation.
* [kyverno fix](kyverno_fix.md) - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
* [kyverno jp](kyverno_jp.md) - Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
* [kyverno oci](kyverno_oci.md) - Pulls/pushes images that include policie(s) from/to OCI registries.
* [kyverno test](kyverno_test.md) - Run tests from directory.

37
docs/user/cli/kyverno_fix.md Normal file
View file

@ -0,0 +1,37 @@
## kyverno fix
Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
```
kyverno fix [flags]
```
### Options
```
-h, --help help for fix
```
### Options inherited from parent commands
```
--add_dir_header If true, adds the file directory to the header of the log messages
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true)
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true)
--log_file string If non-empty, use this log file (no effect when -logtostderr=true)
--log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
--one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
--skip_headers If true, avoid header prefixes in the log messages
--skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
-v, --v Level number for the log level verbosity
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
```
### SEE ALSO
* [kyverno](kyverno.md) - Kubernetes Native Policy Management
* [kyverno fix test](kyverno_fix_test.md) - Fix inconsistencies and deprecated usage in Kyverno test files.

38
docs/user/cli/kyverno_fix_test.md Normal file
View file

@ -0,0 +1,38 @@
## kyverno fix test
Fix inconsistencies and deprecated usage in Kyverno test files.
```
kyverno fix test [flags]
```
### Options
```
-f, --file-name string Test filename (default "kyverno-test.yaml")
-h, --help help for test
--save Save fixed file
```
### Options inherited from parent commands
```
--add_dir_header If true, adds the file directory to the header of the log messages
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true)
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true)
--log_file string If non-empty, use this log file (no effect when -logtostderr=true)
--log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
--one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
--skip_headers If true, avoid header prefixes in the log messages
--skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
-v, --v Level number for the log level verbosity
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
```
### SEE ALSO
* [kyverno fix](kyverno_fix.md) - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.

27
test/cli/registry/kyverno-test.yaml
View file

@ -4,18 +4,21 @@ policies:
resources:
- resources.yaml
results:
- policy: images
- kind: Pod
policy: images
resources:
- test-pod-with-non-root-user-image
result: pass
rule: only-allow-trusted-images
resource: test-pod-with-non-root-user-image
kind: Pod
status: pass
- policy: images
- kind: Pod
policy: images
resources:
- test-pod-with-trusted-registry
result: pass
rule: only-allow-trusted-images
resource: test-pod-with-trusted-registry
kind: Pod
status: pass
- policy: check-image-base
- kind: Pod
policy: check-image-base
resources:
- test-pod-with-trusted-registry
result: pass
rule: check-image-base-rule
resource: test-pod-with-trusted-registry
kind: Pod
status: pass

11
test/cli/scenarios_to_cli/other/scenario_mutate_endpoint/kyverno-test.yaml
View file

@ -4,9 +4,10 @@ policies:
resources:
- resource.yaml
results:
- policy: policy-endpoints
rule: pEP
resource: test-endpoint
patchedresource: patchedresource.yaml
kind: Endpoints
- kind: Endpoints
patchedResource: patchedresource.yaml
policy: policy-endpoints
resources:
- test-endpoint
result: pass
rule: pEP

11
test/cli/scenarios_to_cli/other/scenario_mutate_pod_spec/kyverno-test.yaml
View file

@ -4,9 +4,10 @@ policies:
resources:
- resource.yaml
results:
- policy: mutate-pods-spec
rule: disable-servicelink-and-token
resource: nginx-deployment
patchedresource: patchedresource.yaml
kind: Deployment
- kind: Deployment
patchedResource: patchedresource.yaml
policy: mutate-pods-spec
resources:
- nginx-deployment
result: pass
rule: disable-servicelink-and-token

9
test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resource.yaml
results:
- policy: validate-default-proc-mount
rule: validate-default-proc-mount
resource: nginx-proc-mount
kind: Pod
- kind: Pod
policy: validate-default-proc-mount
resources:
- nginx-proc-mount
result: pass
rule: validate-default-proc-mount

9
test/cli/scenarios_to_cli/other/scenario_validate_disallow_default_serviceaccount/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resource.yaml
results:
- policy: validate-disallow-default-serviceaccount
rule: prevent-mounting-default-serviceaccount
resource: pod-with-default-sa
kind: Pod
- kind: Pod
policy: validate-disallow-default-serviceaccount
resources:
- pod-with-default-sa
result: fail
rule: prevent-mounting-default-serviceaccount

16
test/cli/scenarios_to_cli/other/scenario_validate_healthChecks/kyverno-test.yaml
View file

@ -4,13 +4,15 @@ policies:
resources:
- resource.yaml
results:
- policy: check-probe-exists
- kind: Pod
policy: check-probe-exists
resources:
- probe
result: pass
rule: check-readinessProbe-exists
resource: probe
kind: Pod
- kind: Pod
policy: check-probe-exists
resources:
- probe
result: pass
- policy: check-probe-exists
rule: check-livenessProbe-exists
resource: probe
kind: Pod
result: pass

9
test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resource.yaml
results:
- policy: validate-selinux-options
rule: validate-selinux-options
resource: busybox-selinux
kind: Pod
- kind: Pod
policy: validate-selinux-options
resources:
- busybox-selinux
result: fail
rule: validate-selinux-options

9
test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resource.yaml
results:
- policy: validate-volumes-whitelist
rule: validate-volumes-whitelist
resource: test-volumes
kind: Pod
- kind: Pod
policy: validate-volumes-whitelist
resources:
- test-volumes
result: pass
rule: validate-volumes-whitelist

9
test/cli/scenarios_to_cli/samples/more/restrict_ingress_classes/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resource.yaml
results:
- policy: restrict-ingress-classes
rule: validate-ingress
resource: test-ingress
kind: Ingress
- kind: Ingress
policy: restrict-ingress-classes
resources:
- test-ingress
result: pass
rule: validate-ingress

9
test/cli/test-fail/invalid-ns/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resources.yaml
results:
- policy: restrict-labels
rule: restrict-labels
resource: kyverno-system-tst
kind: Namespace
- kind: Namespace
policy: restrict-labels
resources:
- kyverno-system-tst
result: fail
rule: restrict-labels

9
test/cli/test-fail/missing-policy/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resources.yaml
results:
- policy: missing
rule: validate-image-tag
resource: test
kind: Pod
- kind: Pod
policy: missing
resources:
- test
result: pass
rule: validate-image-tag

9
test/cli/test-fail/missing-resource/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resources.yaml
results:
- policy: disallow-latest-tag
rule: validate-image-tag
resource: missing
kind: Pod
- kind: Pod
policy: disallow-latest-tag
resources:
- missing
result: pass
rule: validate-image-tag

9
test/cli/test-fail/missing-rule/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resources.yaml
results:
- policy: disallow-latest-tag
- kind: Pod
policy: disallow-latest-tag
resources:
- test
result: pass
rule: missing
resource: test
kind: Pod
status: pass

9
test/cli/test-generate/add-network-policy/kyverno-test.yaml
View file

@ -4,9 +4,10 @@ policies:
resources:
- resource.yaml
results:
- policy: add-networkpolicy
rule: default-deny
resource: hello-world-namespace
generatedResource: generatedResource.yaml
- generatedResource: generatedResource.yaml
kind: Namespace
policy: add-networkpolicy
resources:
- hello-world-namespace
result: pass
rule: default-deny

18
test/cli/test-generate/add-quota/kyverno-test.yaml
View file

@ -4,15 +4,17 @@ policies:
resources:
- resource.yaml
results:
- policy: add-ns-quota
- generatedResource: generatedResourceQuota.yaml
kind: Namespace
policy: add-ns-quota
resources:
- hello-world-namespace
result: pass
rule: generate-resourcequota
resource: hello-world-namespace
generatedResource: generatedResourceQuota.yaml
- generatedResource: generatedLimitRange.yaml
kind: Namespace
policy: add-ns-quota
resources:
- hello-world-namespace
result: pass
- policy: add-ns-quota
rule: generate-limitrange
resource: hello-world-namespace
generatedResource: generatedLimitRange.yaml
kind: Namespace
result: pass

11
test/cli/test-generate/create-default-pdb/kyverno-test.yaml
View file

@ -4,10 +4,11 @@ policies:
resources:
- resource.yaml
results:
- policy: create-default-pdb
rule: create-default-pdb
resource: nginx-deployment
generatedResource: generatedResource.yaml
- generatedResource: generatedResource.yaml
kind: Deployment
result: pass
namespace: hello-world
policy: create-default-pdb
resources:
- nginx-deployment
result: pass
rule: create-default-pdb

16
test/cli/test-generate/multiple-resources/kyverno-test.yaml
View file

@ -4,15 +4,17 @@ policies:
resources:
- resources.yaml
results:
- policy: test-policy
rule: rule
resource: resource-a
generatedResource: generated-resource-1.yaml
- generatedResource: generated-resource-1.yaml
kind: Deployment
policy: test-policy
resources:
- resource-a
result: pass
- policy: test-policy
rule: rule
resource: resource-b
generatedResource: generated-resource-2.yaml
- generatedResource: generated-resource-2.yaml
kind: Deployment
policy: test-policy
resources:
- resource-b
result: pass
rule: rule

9
test/cli/test-generate/sync-secrets/kyverno-test.yaml
View file

@ -4,10 +4,11 @@ policies:
resources:
- resource.yaml
results:
- policy: sync-secrets
rule: sync-image-pull-secret
resource: hello-world-namespace
- cloneSourceResource: cloneSourceResource.yaml
generatedResource: generatedResource.yaml
cloneSourceResource: cloneSourceResource.yaml
kind: Namespace
policy: sync-secrets
resources:
- hello-world-namespace
result: pass
rule: sync-image-pull-secret

9
test/cli/test-mutate/foreach/addIfNotPresent/kyverno-test.yaml
View file

@ -4,9 +4,10 @@ policies:
resources:
- resources.yaml
results:
- policy: mutate-emptydir
rule: setDefault
resource: svc-sizelimit-test
- kind: Deployment
patchedResource: deploy-patched.yaml
kind: Deployment
policy: mutate-emptydir
resources:
- svc-sizelimit-test
result: pass
rule: setDefault

9
test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml
View file

@ -4,9 +4,10 @@ policies:
resources:
- resources.yaml
results:
- policy: add-default-resources
rule: add-default-requests
resource: badpod
- kind: Pod
patchedResource: patched.yaml
kind: Pod
policy: add-default-resources
resources:
- badpod
result: pass
rule: add-default-requests

20
test/cli/test-mutate/foreach/kyverno-test.yaml
View file

@ -3,17 +3,19 @@ policies:
- policies.yaml
resources:
- resources.yaml
variables: values.yaml
results:
- policy: foreach-json-patch
rule: add-security-context
resource: nginx
- kind: Pod
patchedResource: patched-resource.yaml
kind: Pod
policy: foreach-json-patch
resources:
- nginx
result: pass
- policy: mutate-images
rule: test
resource: mypod
rule: add-security-context
- kind: Pod
patchedResource: pod-updated-image.yaml
kind: Pod
policy: mutate-images
resources:
- mypod
result: pass
rule: test
variables: values.yaml

9
test/cli/test-mutate/foreach/replaceRegistry/kyverno-test.yaml
View file

@ -4,9 +4,10 @@ policies:
resources:
- resources.yaml
results:
- policy: replace-image-registry-containers
rule: set-default
resource: test-patched-image
- kind: Pod
patchedResource: pod-patched.yaml
kind: Pod
policy: replace-image-registry-containers
resources:
- test-patched-image
result: pass
rule: set-default

30
test/cli/test-mutate/global-anchor/kyverno-test.yaml
View file

@ -4,25 +4,29 @@ policies:
resources:
- resources.yaml
results:
- policy: add-safe-to-evict
rule: annotate-empty-dir
resource: pod-without-emptydir-hostpath
kind: Pod
- kind: Pod
policy: add-safe-to-evict
resources:
- pod-without-emptydir-hostpath
result: skip
- policy: add-safe-to-evict
rule: annotate-empty-dir
resource: pod-with-emptydir-hostpath
- kind: Pod
patchedResource: patchedResource.yaml
kind: Pod
policy: add-safe-to-evict
resources:
- pod-with-emptydir-hostpath
result: pass
- policy: add-safe-to-evict
rule: annotate-empty-dir
resource: pod-with-emptydir-hostpath-1
- kind: Pod
patchedResource: patchedResourceWithVolume.yaml
kind: Pod
policy: add-safe-to-evict
resources:
- pod-with-emptydir-hostpath-1
result: pass
- policy: add-safe-to-evict
rule: annotate-empty-dir
resource: pod-without-emptydir-hostpath-1
kind: Pod
- kind: Pod
policy: add-safe-to-evict
resources:
- pod-without-emptydir-hostpath-1
result: skip
rule: annotate-empty-dir

107
test/cli/test-mutate/kyverno-test.yaml
View file

@ -4,87 +4,100 @@ policies:
resources:
- resource.yaml
results:
- policy: add-label
rule: add-label
resource: resource-equal-to-patch-res-for-cp
patchedResource: patchedResource1.yaml
kind: Pod
- kind: Pod
namespace: practice
patchedResource: patchedResource1.yaml
policy: add-label
resources:
- resource-equal-to-patch-res-for-cp
result: skip
- policy: add-label
rule: add-label
resource: same-name-but-diff-namespace
patchedResource: patchedResource2.yaml
kind: Pod
- kind: Pod
namespace: testing
patchedResource: patchedResource2.yaml
policy: add-label
resources:
- same-name-but-diff-namespace
result: pass
- policy: add-label
rule: add-label
resource: same-name-but-diff-namespace
patchedResource: patchedResource3.yaml
kind: Pod
- kind: Pod
namespace: production
patchedResource: patchedResource3.yaml
policy: add-label
resources:
- same-name-but-diff-namespace
result: pass
- policy: add-label
rule: add-label
resource: mydeploy
- kind: Deployment
patchedResource: patchedResource4.yaml
kind: Deployment
policy: add-label
resources:
- mydeploy
result: pass
- policy: add-label
rule: add-label
resource: same-name-but-diff-kind
- kind: Service
patchedResource: patchedResource5.yaml
kind: Service
policy: add-label
resources:
- same-name-but-diff-kind
result: skip
- policy: add-label
rule: add-label
resource: same-name-but-diff-kind
- kind: Pod
patchedResource: patchedResource6.yaml
kind: Pod
policy: add-label
resources:
- same-name-but-diff-kind
result: pass
- policy: add-ndots
rule: add-ndots
resource: resource-equal-to-patch-res-for-cp
rule: add-label
- kind: Pod
namespace: practice
patchedResource: patchedResource7.yaml
kind: Pod
policy: add-ndots
resources:
- resource-equal-to-patch-res-for-cp
result: skip
- policy: add-ndots
rule: add-ndots
resource: same-name-but-diff-namespace
patchedResource: patchedResource8.yaml
- kind: Pod
namespace: testing
kind: Pod
patchedResource: patchedResource8.yaml
policy: add-ndots
resources:
- same-name-but-diff-namespace
result: pass
- policy: add-ndots
rule: add-ndots
resource: same-name-but-diff-namespace
patchedResource: patchedResource9.yaml
kind: Pod
- kind: Pod
namespace: production
patchedResource: patchedResource9.yaml
policy: add-ndots
resources:
- same-name-but-diff-namespace
result: skip
- policy: add-ndots
rule: add-ndots
resource: mydeploy
- kind: Deployment
patchedResource: patchedResource10.yaml
kind: Deployment
policy: add-ndots
resources:
- mydeploy
result: skip
- policy: add-ndots
rule: add-ndots
resource: same-name-but-diff-kind
- kind: Service
patchedResource: patchedResource5.yaml
kind: Service
policy: add-ndots
resources:
- same-name-but-diff-kind
result: skip
- policy: add-ndots
rule: add-ndots
resource: same-name-but-diff-kind
- kind: Pod
patchedResource: patchedResource11.yaml
kind: Pod
policy: add-ndots
resources:
- same-name-but-diff-kind
result: skip
- policy: example
rule: object_from_lists
resource: example
rule: add-ndots
- kind: Pod
patchedResource: patched-resource.yaml
kind: Pod
policy: example
resources:
- example
result: pass
rule: object_from_lists

15
test/cli/test-mutate/patched-resource/kyverno-test.yaml
View file

@ -3,18 +3,23 @@ policies:
- policy.yaml
resources:
- resource.yaml
variables: variables.yaml
results:
- policy: add-default-resources
rule: add-default-requests
resource: nginx-demo
- kind: Pod
patchedResource: patched-resource.yaml
kind: Pod
policy: add-default-resources
resources:
- nginx-demo
result: pass
rule: add-default-requests
values:
globalValues: null
namespaceSelector: null
policies:
- name: add-default-resources
resources:
- name: nginx-demo
values:
request.operation: CREATE
rules: null
subresources: null
variables: variables.yaml

47
test/cli/test/admission_user_info/kyverno-test.yaml
View file

@ -3,36 +3,41 @@ policies:
- disallow_latest_tag.yaml
resources:
- resource.yaml
userinfo: user_info.yaml
results:
- policy: disallow-latest-tag
- kind: Pod
policy: disallow-latest-tag
resources:
- myapp-pod1
result: pass
rule: require-image-tag
resource: myapp-pod1
kind: Pod
- kind: Pod
policy: disallow-latest-tag
resources:
- myapp-pod2
result: pass
- policy: disallow-latest-tag
rule: require-image-tag
resource: myapp-pod2
kind: Pod
- kind: Pod
policy: disallow-latest-tag
resources:
- myapp-pod3
result: pass
- policy: disallow-latest-tag
rule: require-image-tag
resource: myapp-pod3
kind: Pod
- kind: Pod
policy: disallow-latest-tag
resources:
- myapp-pod1
result: pass
- policy: disallow-latest-tag
rule: validate-image-tag
resource: myapp-pod1
kind: Pod
- kind: Pod
policy: disallow-latest-tag
resources:
- myapp-pod2
result: pass
- policy: disallow-latest-tag
rule: validate-image-tag
resource: myapp-pod2
kind: Pod
- kind: Pod
policy: disallow-latest-tag
resources:
- myapp-pod3
result: pass
- policy: disallow-latest-tag
rule: validate-image-tag
resource: myapp-pod3
kind: Pod
result: pass
userinfo: user_info.yaml

23
test/cli/test/any-all-wildcard/kyverno-test.yaml
View file

@ -4,21 +4,24 @@ policies:
resources:
- resource.yaml
results:
- policy: disallow-protected-namespaces
rule: disallow
resource: test1
kind: Pod
- kind: Pod
namespace: namespace1
policy: disallow-protected-namespaces
resources:
- test1
result: fail
- policy: disallow-protected-namespaces
rule: disallow
resource: test2
kind: Pod
- kind: Pod
namespace: namespace2
policy: disallow-protected-namespaces
resources:
- test2
result: fail
- policy: disallow-protected-namespaces
rule: disallow
resource: test3
kind: Pod
- kind: Pod
namespace: namespace3
policy: disallow-protected-namespaces
resources:
- test3
result: skip
rule: disallow

12
test/cli/test/any-namespaceSelector/kyverno-test.yaml
View file

@ -1,14 +1,14 @@
---
name: enforce-pod-name
policies:
- policy.yaml
resources:
- resource.yaml
variables: value.yaml
results:
- policy: enforce-pod-name
rule: validate-name
resource: test-nginx
kind: Pod
- kind: Pod
namespace: test1
policy: enforce-pod-name
resources:
- test-nginx
result: pass
rule: validate-name
variables: value.yaml

30
test/cli/test/anypattern_skip_error/kyverno-test.yaml
View file

@ -4,23 +4,27 @@ policies:
resources:
- resource.yaml
results:
- policy: validate-service-loadbalancer
rule: check-loadbalancer-public
resource: service-public-pass
kind: Service
- kind: Service
policy: validate-service-loadbalancer
resources:
- service-public-pass
result: pass
- policy: validate-service-loadbalancer
rule: check-loadbalancer-public
resource: service-public-2-pass
kind: Service
- kind: Service
policy: validate-service-loadbalancer
resources:
- service-public-2-pass
result: pass
- policy: validate-service-loadbalancer
rule: check-loadbalancer-public
resource: service-public-fail
kind: Service
- kind: Service
policy: validate-service-loadbalancer
resources:
- service-public-fail
result: fail
- policy: validate-service-loadbalancer
rule: check-loadbalancer-public
resource: service-clusterip-skip
kind: Service
- kind: Service
policy: validate-service-loadbalancer
resources:
- service-clusterip-skip
result: skip
rule: check-loadbalancer-public

74
test/cli/test/autogen/kyverno-test.yaml
View file

@ -1,60 +1,54 @@
name: kyverno-test.yaml
policies:
- policy.yaml
resources:
- resources.yaml
results:
# TEST: Pod with Labels Should Pass
- policy: require-common-labels
rule: check-for-labels
- kind: Pod
policy: require-common-labels
resources:
- pod-with-labels
result: pass
kind: Pod
resource: pod-with-labels
# TEST: Pod Missing Labels Should Fail
- policy: require-common-labels
rule: check-for-labels
- kind: Pod
policy: require-common-labels
resources:
- pod-missing-labels
result: fail
kind: Pod
resource: pod-missing-labels
# TEST: Deployment with Labels Should Pass
- policy: require-common-labels
rule: check-for-labels
- kind: Deployment
policy: require-common-labels
resources:
- deployment-with-labels
result: pass
kind: Deployment
resource: deployment-with-labels
# TEST: Deployment with Labels Should Fail
- policy: require-common-labels
rule: check-for-labels
- kind: Deployment
policy: require-common-labels
resources:
- deployment-missing-labels
result: fail
kind: Deployment
resource: deployment-missing-labels
# TEST: StatefulSet with Labels Should Pass
- policy: require-common-labels
rule: check-for-labels
- kind: StatefulSet
policy: require-common-labels
resources:
- StatefulSet-with-labels
result: pass
kind: StatefulSet
resource: StatefulSet-with-labels
# TEST: StatefulSet with Labels Should fail
- policy: require-common-labels
rule: check-for-labels
- kind: StatefulSet
policy: require-common-labels
resources:
- StatefulSet-without-labels
result: fail
kind: StatefulSet
resource: StatefulSet-without-labels
# TEST: Cronjob with Labels Should pass
- policy: require-common-labels
rule: check-for-labels
- kind: CronJob
policy: require-common-labels
resources:
- cronjob-with-labels
result: pass
kind: CronJob
resource: cronjob-with-labels
# TEST: Cronjob without Labels Should fail
- policy: require-common-labels
rule: check-for-labels
- kind: CronJob
policy: require-common-labels
resources:
- cronjob-without-labels
result: fail
kind: CronJob
resource: cronjob-without-labels
rule: check-for-labels

18
test/cli/test/container_reorder/kyverno-test.yaml
View file

@ -4,13 +4,15 @@ policies:
resources:
- resources.yaml
results:
- policy: check-image
- kind: Pod
policy: check-image
resources:
- signed-first
result: fail
rule: verify-signature
resource: signed-first
kind: Pod
status: fail
- policy: check-image
- kind: Pod
policy: check-image
resources:
- unsigned-first
result: fail
rule: verify-signature
resource: unsigned-first
kind: Pod
status: fail

79
test/cli/test/context-entries/kyverno-test.yaml
View file

@ -4,58 +4,69 @@ policies:
resources:
- resources.yaml
results:
- policy: example
- kind: Pod
policy: example
resources:
- example
result: pass
rule: defined-value
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: defined-jmespath
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: defined-jmespath-with-default
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: defined-value-with-variable
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: defined-jmespath-with-default-variable
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: defined-value-jmespath
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: defined-value-jmespath-variable
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: value-override
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: wildcard-match
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: items
resource: example
kind: Pod
- kind: Pod
policy: example
resources:
- example
result: pass
- policy: example
rule: unused-var
resource: example
kind: Pod
result: pass

18
test/cli/test/context-foreach/kyverno-test.yaml
View file

@ -3,15 +3,17 @@ policies:
- policy.yaml
resources:
- resources.yaml
variables: values.yaml
results:
- policy: block-images
rule: block-images
resource: good-pod
kind: Pod
- kind: Pod
policy: block-images
resources:
- good-pod
result: pass
- policy: block-images
rule: block-images
resource: bad-pod
kind: Pod
- kind: Pod
policy: block-images
resources:
- bad-pod
result: fail
rule: block-images
variables: values.yaml

103
test/cli/test/custom-functions/kyverno-test.yaml
View file

@ -4,64 +4,75 @@ policies:
resources:
- resources.yaml
results:
- policy: base64
- kind: Secret
policy: base64
resources:
- base64-test-match
result: pass
rule: secret-value-must-match-label
resource: base64-test-match
kind: Secret
status: pass
- policy: base64
- kind: Secret
policy: base64
resources:
- base64-test-no-match
result: fail
rule: secret-value-must-match-label
resource: base64-test-no-match
kind: Secret
status: fail
- policy: pattern-match
- kind: Namespace
policy: pattern-match
resources:
- pattern-match-test-match
result: pass
rule: label-must-match-pattern
resource: pattern-match-test-match
kind: Namespace
status: pass
- policy: pattern-match
- kind: Namespace
policy: pattern-match
resources:
- pattern-match-test-no-match
result: fail
rule: label-must-match-pattern
resource: pattern-match-test-no-match
kind: Namespace
status: fail
- policy: path-canonicalize
- kind: Pod
policy: path-canonicalize
resources:
- mount-containerd-sock
result: fail
rule: disallow-mount-containerd-sock
resource: mount-containerd-sock
kind: Pod
status: fail
- policy: test-parse-json
- kind: ConfigMap
policy: test-parse-json
resources:
- valid-test
result: pass
rule: test-json-parsing-jmespath
resource: valid-test
kind: ConfigMap
result: pass
- policy: test-parse-json
- kind: ConfigMap
policy: test-parse-json
resources:
- invalid-test
result: fail
rule: test-json-parsing-jmespath
resource: invalid-test
kind: ConfigMap
result: fail
- policy: test-parse-yaml
rule: test-yaml-parsing-jmespath
resource: valid-yaml-test
kind: ConfigMap
- kind: ConfigMap
policy: test-parse-yaml
resources:
- valid-yaml-test
result: pass
- policy: test-parse-yaml
rule: test-yaml-parsing-jmespath
resource: invalid-yaml-test
kind: ConfigMap
- kind: ConfigMap
policy: test-parse-yaml
resources:
- invalid-yaml-test
result: fail
- policy: test-parse-yaml-array
rule: test-yaml-parsing-jmespath
resource: valid-yaml-test
kind: ConfigMap
- kind: ConfigMap
policy: test-parse-yaml-array
resources:
- valid-yaml-test
result: pass
- policy: test-parse-yaml-array
rule: test-yaml-parsing-jmespath
resource: invalid-yaml-test
kind: ConfigMap
- kind: ConfigMap
policy: test-parse-yaml-array
resources:
- invalid-yaml-test
result: fail
rule: test-yaml-parsing-jmespath
- kind: ConfigMap
policy: test-x509-decode
resources:
- test-x509-configmap
result: fail
- policy: test-x509-decode
rule: test-x509-decode
resource: test-x509-configmap
kind: ConfigMap
result: fail

16
test/cli/test/default_value_to_create/kyverno-test.yaml
View file

@ -4,13 +4,15 @@ policies:
resources:
- resource.yaml
results:
- policy: psp-check-supplemental-groups
rule: supplementalgroup-ranges
resource: badpod01
kind: Pod
- kind: Pod
policy: psp-check-supplemental-groups
resources:
- badpod01
result: fail
- policy: psp-check-supplemental-groups
rule: supplementalgroup-ranges
resource: goodpod01
kind: Pod
- kind: Pod
policy: psp-check-supplemental-groups
resources:
- goodpod01
result: pass
rule: supplementalgroup-ranges

18
test/cli/test/depecated_apis/kyverno-test.yaml
View file

@ -4,13 +4,15 @@ policies:
resources:
- resources.yaml
results:
- policy: check-deprecated-api
- kind: CronJob
policy: check-deprecated-api
resources:
- hello
result: skip
rule: validate-v1-25-removal
resource: hello
kind: CronJob
status: skip
- policy: check-deprecated-api
- kind: CronJob
policy: check-deprecated-api
resources:
- hello-fail
result: warn
rule: validate-v1-25-removal
resource: hello-fail
kind: CronJob
status: warn

46
test/cli/test/exec-subresource/kyverno-test.yaml
View file

@ -4,27 +4,37 @@ policies:
resources:
- resource.yaml
results:
- policy: deny-exec-by-pod-label
rule: deny-exec-by-label
resource: execpod
- kind: PodExecOptions
namespace: default
kind: PodExecOptions
policy: deny-exec-by-pod-label
resources:
- execpod
result: fail
rule: deny-exec-by-label
values:
policies:
- name: deny-exec-by-pod-label
rules:
- name: deny-exec-by-label
values:
podexeclabel: "false"
globalValues:
request.operation: CONNECT
namespaceSelector: null
policies:
- name: deny-exec-by-pod-label
resources: null
rules:
- foreachValues: null
name: deny-exec-by-label
values:
podexeclabel: "false"
subresources:
- subresource:
name: "pods/exec"
kind: "PodExecOptions"
version: "v1"
parentResource:
name: "pods"
kind: "Pod"
version: "v1"
- parentResource:
kind: Pod
name: pods
namespaced: false
singularName: ""
verbs: null
version: v1
subresource:
kind: PodExecOptions
name: pods/exec
namespaced: false
singularName: ""
verbs: null
version: v1

18
test/cli/test/foreach-preconditions/kyverno-test.yaml
View file

@ -4,13 +4,15 @@ policies:
resources:
- resources.yaml
results:
- policy: enforce-limits-fraction
- kind: Pod
policy: enforce-limits-fraction
resources:
- frontend1
result: fail
rule: check-memory-requests-limits
resource: frontend1
kind: Pod
status: fail
- policy: enforce-limits-fraction
- kind: Pod
policy: enforce-limits-fraction
resources:
- frontend2
result: pass
rule: check-memory-requests-limits
resource: frontend2
kind: Pod
status: pass

90
test/cli/test/foreach/kyverno-test.yaml
View file

@ -4,53 +4,63 @@ policies:
resources:
- resources.yaml
results:
- policy: validate-empty-dir-mountpath
- kind: Pod
policy: validate-empty-dir-mountpath
resources:
- test-pod
result: pass
rule: check-mount-paths
resource: test-pod
kind: Pod
status: pass
- policy: validate-empty-dir-mountpath
- kind: Pod
policy: validate-empty-dir-mountpath
resources:
- test-pod2
result: pass
rule: check-mount-paths
resource: test-pod2
kind: Pod
status: pass
- policy: validate-empty-dir-resources
- kind: Pod
policy: validate-empty-dir-resources
resources:
- test-pod-bad-mount
result: fail
rule: check-resources
resource: test-pod-bad-mount
kind: Pod
status: fail
- policy: validate-empty-dir-resources
- kind: Pod
policy: validate-empty-dir-resources
resources:
- test-pod
result: fail
rule: check-resources
resource: test-pod
kind: Pod
status: fail
- policy: validate-empty-dir-resources
- kind: Pod
policy: validate-empty-dir-resources
resources:
- test-pod-with-resources
result: pass
rule: check-resources
resource: test-pod-with-resources
kind: Pod
status: pass
- policy: validate-empty-dir-resources
- kind: Pod
policy: validate-empty-dir-resources
resources:
- test-pod-with-gke-vol
result: skip
rule: check-resources
resource: test-pod-with-gke-vol
kind: Pod
status: skip
- policy: validate-empty-dir-resources
- kind: Pod
policy: validate-empty-dir-resources
resources:
- test-pod-with-resources-multiple-ctnrs
result: pass
rule: check-resources
resource: test-pod-with-resources-multiple-ctnrs
kind: Pod
status: pass
- policy: validate-image-list
- kind: Pod
policy: validate-image-list
resources:
- test-pod
result: fail
rule: check-image
resource: test-pod
kind: Pod
status: fail
- policy: validate-image-list
- kind: Pod
policy: validate-image-list
resources:
- test-pod-ghcr
result: fail
rule: check-image
resource: test-pod-ghcr
kind: Pod
status: fail
- policy: validate-image-list-error
- kind: Pod
policy: validate-image-list-error
resources:
- test-pod-ghcr
result: error
rule: check-image
resource: test-pod-ghcr
kind: Pod
status: error

20
test/cli/test/images/digest/kyverno-test.yaml
View file

@ -4,15 +4,17 @@ policies:
resources:
- resources.yaml
results:
- policy: require-image-digest
rule: check-digest
resource: no-digest
kind: Pod
- kind: Pod
namespace: test
status: fail
- policy: require-image-digest
policy: require-image-digest
resources:
- no-digest
result: fail
rule: check-digest
resource: with-digest
kind: Pod
- kind: Pod
namespace: test
status: pass
policy: require-image-digest
resources:
- with-digest
result: pass
rule: check-digest

9
test/cli/test/images/secure-images/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resources.yaml
results:
- policy: secure-images
- kind: Pod
policy: secure-images
resources:
- tomcat
result: fail
rule: enforce-signatures
resource: tomcat
kind: Pod
status: fail

18
test/cli/test/images/signatures/kyverno-test.yaml
View file

@ -4,13 +4,15 @@ policies:
resources:
- resources.yaml
results:
- policy: verify-signature
- kind: Pod
policy: verify-signature
resources:
- signed
result: pass
rule: check-static-key
resource: signed
kind: Pod
status: pass
- policy: verify-signature
- kind: Pod
policy: verify-signature
resources:
- unsigned
result: fail
rule: check-static-key
resource: unsigned
kind: Pod
status: fail

36
test/cli/test/images/verify-signature/kyverno-test.yaml
View file

@ -4,23 +4,27 @@ policies:
resources:
- resources.yaml
results:
- policy: check-image
- kind: Pod
policy: check-image
resources:
- signed
result: pass
rule: verify-signature
resource: signed
kind: Pod
status: pass
- policy: check-image
- kind: Pod
policy: check-image
resources:
- unsigned
result: fail
rule: verify-signature
resource: unsigned
kind: Pod
status: fail
- policy: check-data-volume-image
- kind: DataVolume
policy: check-data-volume-image
resources:
- signed-registry-image-datavolume
result: pass
rule: verify-signature
resource: signed-registry-image-datavolume
kind: DataVolume
status: pass
- policy: check-data-volume-image
- kind: DataVolume
policy: check-data-volume-image
resources:
- unsigned-registry-image-datavolume
result: fail
rule: verify-signature
resource: unsigned-registry-image-datavolume
kind: DataVolume
status: fail

54
test/cli/test/jmespath-brackets/kyverno-test.yaml
View file

@ -4,33 +4,39 @@ policies:
resources:
- resources.yaml
results:
- policy: test-jmespath
- kind: Pod
policy: test-jmespath
resources:
- test-valid1
result: pass
rule: test-jmespath
resource: test-valid1
kind: Pod
status: pass
- policy: test-jmespath
- kind: Pod
policy: test-jmespath
resources:
- test-valid2
result: pass
rule: test-jmespath
resource: test-valid2
kind: Pod
status: pass
- policy: test-jmespath
- kind: Pod
policy: test-jmespath
resources:
- test-valid3
result: pass
rule: test-jmespath
resource: test-valid3
kind: Pod
status: pass
- policy: test-jmespath
- kind: Pod
policy: test-jmespath
resources:
- test-invalid
result: fail
rule: test-jmespath
resource: test-invalid
kind: Pod
status: fail
- policy: namespace-validation
- kind: Namespace
policy: namespace-validation
resources:
- test-invalid
result: fail
rule: namespace-validation
resource: test-invalid
kind: Namespace
status: fail
- policy: namespace-validation
- kind: Namespace
policy: namespace-validation
resources:
- test-valid
result: pass
rule: namespace-validation
resource: test-valid
kind: Namespace
status: pass

20
test/cli/test/limit-configmap-for-sa/kyverno-test.yaml
View file

@ -3,17 +3,19 @@ policies:
- limit_configmap_for_sa.yaml
resources:
- resource.yaml
variables: variables.yaml
userinfo: user_info.yaml
results:
- policy: limit-configmap-for-sa
rule: limit-configmap-for-sa-developer
resource: any-configmap-name-good
kind: ConfigMap
- kind: ConfigMap
namespace: any-namespace
policy: limit-configmap-for-sa
resources:
- any-configmap-name-good
result: fail
- policy: limit-configmap-for-sa
rule: limit-configmap-for-sa-developer
resource: any-configmap-name-bad
kind: ConfigMap
- kind: ConfigMap
policy: limit-configmap-for-sa
resources:
- any-configmap-name-bad
result: skip
rule: limit-configmap-for-sa-developer
userinfo: user_info.yaml
variables: variables.yaml

25
test/cli/test/manifests/verify-signature/kyverno-test.yaml
View file

@ -4,18 +4,21 @@ policies:
resources:
- resources.yaml
results:
- policy: validate-yaml
rule: validate-yaml
resource: test-service # no signature
kind: Service
- kind: Service
policy: validate-yaml
resources:
- test-service
result: fail
- policy: validate-yaml
rule: validate-yaml
resource: test-service2 # one signature
kind: Service
- kind: Service
policy: validate-yaml
resources:
- test-service2
result: pass
rule: validate-yaml
- kind: Service
policy: validate-yaml
resources:
- test-service3
result: pass
- policy: validate-yaml
rule: validate-yaml-multi-sig
resource: test-service3 # multi signature
kind: Service
result: pass

44
test/cli/test/mixed/kyverno-test.yaml
View file

@ -4,29 +4,33 @@ policies:
resources:
- resource.yaml
results:
- policy: ondemand
rule: ondemand-nodeselector
resource: nodeselector-with-labels-on-mutation
- kind: Pod
namespace: user-space
patchedResource: patched-resource.yaml
namespace: user-space
kind: Pod
policy: ondemand
resources:
- nodeselector-with-labels-on-mutation
result: pass
- policy: ondemand
rule: ondemand-managed_by
resource: nodeselector-with-labels-on-mutation
namespace: user-space
kind: Pod
result: pass
- policy: ondemand
rule: ondemand-nodeselector
resource: nodeselector-without-labels-on-mutation
patchedResource: patched-resource1.yaml
namespace: user-foo
kind: Pod
result: skip
- policy: ondemand
- kind: Pod
namespace: user-space
policy: ondemand
resources:
- nodeselector-with-labels-on-mutation
result: pass
rule: ondemand-managed_by
resource: nodeselector-without-labels-on-mutation
- kind: Pod
namespace: user-foo
kind: Pod
patchedResource: patched-resource1.yaml
policy: ondemand
resources:
- nodeselector-without-labels-on-mutation
result: skip
rule: ondemand-nodeselector
- kind: Pod
namespace: user-foo
policy: ondemand
resources:
- nodeselector-without-labels-on-mutation
result: fail
rule: ondemand-managed_by

19
test/cli/test/multiple_condition_keys/kyverno-test.yaml
View file

@ -4,14 +4,15 @@ policies:
resources:
- resources.yaml
results:
- policy: test-multiple-key
- kind: Pod
policy: test-multiple-key
resources:
- test-resource-pass
result: pass
rule: test-multiple-key
resource: test-resource-pass
kind: Pod
status: pass
- policy: test-multiple-key
- kind: Pod
policy: test-multiple-key
resources:
- test-resource-fail
result: fail
rule: test-multiple-key
resource: test-resource-fail
kind: Pod
status: fail

12
test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/kyverno-test.yaml
View file

@ -3,15 +3,15 @@ policies:
- exclude_namespaces_dynamically.yaml
resources:
- resource.yaml
variables: values.yaml
results:
- policy: exclude-namespaces-example
rule: exclude-namespaces-dynamically
- kind: Pod
policy: exclude-namespaces-example
resource: bad-pod01
kind: Pod
result: pass
- policy: exclude-namespaces-example
rule: exclude-namespaces-dynamically
- kind: Pod
policy: exclude-namespaces-example
resource: bad-pod02
kind: Pod
result: error
rule: exclude-namespaces-dynamically
variables: values.yaml

16
test/cli/test/nil-values-in-variables/limit-duration/kyverno-test.yaml
View file

@ -4,13 +4,15 @@ policies:
resources:
- resource.yaml
results:
- policy: cert-manager-limit-duration
rule: certificate-duration-max-100days
resource: letsencrypt-crt
kind: Certificate
- kind: Certificate
policy: cert-manager-limit-duration
resources:
- letsencrypt-crt
result: skip
- policy: cert-manager-limit-duration
rule: certificate-duration-max-100days
resource: acme-crt
kind: Certificate
- kind: Certificate
policy: cert-manager-limit-duration
resources:
- acme-crt
result: error
rule: certificate-duration-max-100days

9
test/cli/test/node-status/kyverno-test.yaml
View file

@ -4,8 +4,9 @@ policies:
resources:
- resource.yaml
results:
- policy: check-kernel
rule: kernel-validate
resource: test-check-kernel-version
kind: Node
- kind: Node
policy: check-kernel
resources:
- test-check-kernel-version
result: pass
rule: kernel-validate

23
test/cli/test/owner_references/kyverno-test.yaml
View file

@ -4,18 +4,21 @@ policies:
resources:
- resource.yaml
results:
- policy: require-pod-probes
rule: require-pod-probes
resource: pod-fail
kind: Pod
- kind: Pod
policy: require-pod-probes
resources:
- pod-fail
result: fail
- policy: require-pod-probes
rule: require-pod-probes
resource: deployment-skip
kind: Deployment
- kind: Deployment
policy: require-pod-probes
resources:
- deployment-skip
result: skip
- policy: require-pod-probes
rule: require-pod-probes
resource: cronjob-skip
kind: CronJob
- kind: CronJob
policy: require-pod-probes
resources:
- cronjob-skip
result: skip
rule: require-pod-probes

18
test/cli/test/policy-reports-skip-validation/kyverno-test.yaml
View file

@ -3,15 +3,17 @@ policies:
- policy.yaml
resources:
- resource.yaml
variables: values.yaml
results:
- policy: disallow-naked-pods
rule: validate-naked-pods
resource: blank-skip
kind: Pod
- kind: Pod
policy: disallow-naked-pods
resources:
- blank-skip
result: skip
- policy: disallow-naked-pods
rule: validate-naked-pods
resource: blank-fail
kind: Pod
- kind: Pod
policy: disallow-naked-pods
resources:
- blank-fail
result: fail
rule: validate-naked-pods
variables: values.yaml

18
test/cli/test/preconditions/kyverno-test.yaml
View file

@ -4,13 +4,15 @@ policies:
resources:
- resources.yaml
results:
- policy: preconditions
- kind: Pod
policy: preconditions
resources:
- test-valid
result: pass
rule: any-rule
resource: test-valid
kind: Pod
status: pass
- policy: preconditions
- kind: Pod
policy: preconditions
resources:
- test-invalid
result: fail
rule: any-rule
resource: test-invalid
kind: Pod
status: fail

34
test/cli/test/restrict_ingress_host/kyverno-test.yaml
View file

@ -3,25 +3,29 @@ policies:
- restrict_ingress_host.yaml
resources:
- resource.yaml
variables: values.yaml
results:
- policy: unique-ingress-host
rule: check-single-host
resource: ingress-kyverno-host
kind: Ingress
- kind: Ingress
policy: unique-ingress-host
resources:
- ingress-kyverno-host
result: fail
- policy: unique-ingress-host
rule: check-single-host
resource: ingress-foo-host
kind: Ingress
- kind: Ingress
policy: unique-ingress-host
resources:
- ingress-foo-host
result: skip
- policy: unique-ingress-host
rule: deny-multiple-hosts
resource: ingress-kyverno-host
kind: Ingress
rule: check-single-host
- kind: Ingress
policy: unique-ingress-host
resources:
- ingress-kyverno-host
result: skip
- policy: unique-ingress-host
rule: deny-multiple-hosts
resource: ingress-foo-host
kind: Ingress
- kind: Ingress
policy: unique-ingress-host
resources:
- ingress-foo-host
result: fail
rule: deny-multiple-hosts
variables: values.yaml

11
test/cli/test/scale-subresource/kyverno-test.yaml
View file

@ -3,11 +3,12 @@ policies:
- enforce-replicas-for-scale-subresource.yml
resources:
- resource.yaml
variables: values.yaml
results:
- policy: enforce-replicas-for-scale-subresource
rule: validate-nginx-test
resource: nginx-test
- kind: Scale
namespace: default
kind: Scale
policy: enforce-replicas-for-scale-subresource
resources:
- nginx-test
result: fail
rule: validate-nginx-test
variables: values.yaml

16
test/cli/test/secret/kyverno-test.yaml
View file

@ -4,15 +4,17 @@ policies:
resources:
- resources.yaml
results:
- policy: add-maintainer
rule: add-maintainer
resource: example
- kind: Secret
patchedResource: patched-resource.yaml
kind: Secret
policy: add-maintainer
resources:
- example
result: pass
- policy: add-maintainer
rule: add-maintainer
resource: secrete-fail-example
- kind: Secret
patchedResource: patched-resource1.yaml
kind: Secret
policy: add-maintainer
resources:
- secrete-fail-example
result: fail
rule: add-maintainer

125
test/cli/test/simple/kyverno-test.yaml
View file

@ -3,93 +3,92 @@ policies:
- policy.yaml
resources:
- resources.yaml
variables: values.yaml
results:
- policy: disallow-latest-tag
rule: require-image-tag
- kind: Pod
namespace: test
policy: disallow-latest-tag
resource: test-require-image-tag-pass
kind: Pod
namespace: test
status: pass
- policy: disallow-latest-tag
result: pass
rule: require-image-tag
- kind: Pod
namespace: test
policy: disallow-latest-tag
resource: test-require-image-tag-fail
kind: Pod
namespace: test
status: fail
- policy: disallow-latest-tag
rule: validate-image-tag
result: fail
rule: require-image-tag
- kind: Pod
policy: disallow-latest-tag
resource: test-validate-image-tag-ignore
kind: Pod
status: skip
- policy: disallow-latest-tag
result: skip
rule: validate-image-tag
- kind: Pod
namespace: test
policy: disallow-latest-tag
resource: test-validate-image-tag-fail
namespace: test
kind: Pod
status: fail
- policy: disallow-latest-tag
result: fail
rule: validate-image-tag
resource: test-validate-image-tag-pass
kind: Pod
- kind: Pod
namespace: test
status: pass
- policy: duration-test
policy: disallow-latest-tag
resource: test-validate-image-tag-pass
result: pass
rule: validate-image-tag
- kind: Pod
namespace: test
policy: duration-test
resource: test-lifetime-fail
result: fail
rule: greater-than
resource: test-lifetime-fail
kind: Pod
- kind: Pod
namespace: test
status: fail
- policy: duration-test
policy: duration-test
resource: test-lifetime-fail
result: pass
rule: less-than
resource: test-lifetime-fail
kind: Pod
- kind: Pod
namespace: test
status: pass
- policy: duration-test
policy: duration-test
resource: test-lifetime-fail
result: fail
rule: greater-equal-than
resource: test-lifetime-fail
kind: Pod
- kind: Pod
namespace: test
status: fail
- policy: duration-test
policy: duration-test
resource: test-lifetime-fail
result: pass
rule: less-equal-than
resource: test-lifetime-fail
kind: Pod
namespace: test
status: pass
- policy: restrict-pod-counts
rule: restrict-pod-count
- kind: Pod
policy: restrict-pod-counts
resource: myapp-pod
kind: Pod
status: fail
- policy: restrict-pod-counts
result: fail
rule: restrict-pod-count
- kind: Pod
namespace: test
policy: restrict-pod-counts
resource: test-require-image-tag-pass
kind: Pod
namespace: test
status: fail
- policy: restrict-pod-counts
result: fail
rule: restrict-pod-count
- kind: Pod
namespace: test
policy: restrict-pod-counts
resource: test-require-image-tag-fail
kind: Pod
namespace: test
status: fail
- policy: restrict-pod-counts
result: fail
rule: restrict-pod-count
- kind: Pod
policy: restrict-pod-counts
resource: test-validate-image-tag-ignore
kind: Pod
status: fail
- policy: restrict-pod-counts
result: fail
rule: restrict-pod-count
- kind: Pod
namespace: test
policy: restrict-pod-counts
resource: test-validate-image-tag-fail
kind: Pod
namespace: test
status: fail
- policy: restrict-pod-counts
result: fail
rule: restrict-pod-count
resource: test-validate-image-tag-pass
kind: Pod
- kind: Pod
namespace: test
status: fail
policy: restrict-pod-counts
resource: test-validate-image-tag-pass
result: fail
rule: restrict-pod-count
variables: values.yaml

11
test/cli/test/unordered-context-variables/kyverno-test.yaml
View file

@ -3,10 +3,11 @@ policies:
- policy.yaml
resources:
- resource.yaml
variables: variables.yaml
results:
- policy: deny-something
rule: deny-everything
resource: valid-pod
kind: Pod
- kind: Pod
policy: deny-something
resources:
- valid-pod
result: pass
rule: deny-everything
variables: variables.yaml

109
test/cli/test/variables/kyverno-test.yaml
View file

@ -8,70 +8,83 @@ policies:
- image-example.yaml
resources:
- resources.yaml
variables: variables.yaml
results:
- policy: cm-multiple-example
rule: example-configmap-lookup
resource: test-env-test
kind: Pod
- kind: Pod
policy: cm-multiple-example
resources:
- test-env-test
result: pass
- policy: cm-multiple-example
rule: example-configmap-lookup
resource: test-env-dev
kind: Pod
- kind: Pod
policy: cm-multiple-example
resources:
- test-env-dev
result: fail
- policy: cm-variable-example
rule: example-configmap-lookup
resource: test-env-test
kind: Pod
- kind: Pod
policy: cm-variable-example
resources:
- test-env-test
result: pass
- policy: cm-variable-example
rule: example-configmap-lookup
resource: test-env-dev
kind: Pod
- kind: Pod
policy: cm-variable-example
resources:
- test-env-dev
result: fail
rule: example-configmap-lookup
- kind: Pod
policy: cm-array-example
resources:
- test-web
result: fail
- policy: cm-array-example
rule: validate-role-annotation
resource: test-web
kind: Pod
result: fail
- policy: cm-array-example
- kind: Pod
policy: cm-array-example
resources:
- test-app
result: pass
rule: validate-role-annotation
resource: test-app
kind: Pod
result: pass
- policy: cm-blk-scalar-example
rule: validate-blk-role-annotation
resource: test-blk-web
kind: Pod
- kind: Pod
policy: cm-blk-scalar-example
resources:
- test-blk-web
result: fail
- policy: cm-blk-scalar-example
rule: validate-blk-role-annotation
resource: test-blk-app
kind: Pod
- kind: Pod
policy: cm-blk-scalar-example
resources:
- test-blk-app
result: pass
- policy: cm-globalval-example
rule: validate-mode
resource: test-global-dev
kind: Pod
rule: validate-blk-role-annotation
- kind: Pod
policy: cm-globalval-example
resources:
- test-global-dev
result: pass
- policy: cm-globalval-example
rule: validate-mode
resource: test-global-prod
kind: Pod
- kind: Pod
policy: cm-globalval-example
resources:
- test-global-prod
result: fail
- policy: images
rule: validate-mode
- kind: Pod
policy: images
resources:
- test-pod-with-non-root-user-image
result: pass
rule: only-allow-trusted-images
resource: test-pod-with-non-root-user-image
kind: Pod
status: pass
- policy: images
- kind: Pod
policy: images
resources:
- test-pod-with-trusted-registry
result: pass
rule: only-allow-trusted-images
resource: test-pod-with-trusted-registry
kind: Pod
status: pass
- policy: images
- kind: Pod
policy: images
resources:
- test-pod-with-non-trusted-registry
result: fail
rule: only-allow-trusted-images
resource: test-pod-with-non-trusted-registry
kind: Pod
status: fail
variables: variables.yaml

41
test/cli/test/wildcard_match_label_selector/kyverno-test.yaml
View file

@ -4,28 +4,33 @@ policies:
resources:
- resources.yaml
results:
- policy: wildcard-support-in-matchlabels
- kind: Pod
policy: wildcard-support-in-matchlabels
resources:
- my-service-1
result: pass
rule: wildcard-label
resource: my-service-1
kind: Pod
- kind: Pod
policy: wildcard-support-in-matchlabels
resources:
- my-service-2
result: pass
- policy: wildcard-support-in-matchlabels
rule: label-end-with-test
resource: my-service-2
kind: Pod
result: pass
- policy: wildcard-support-in-matchlabels
- kind: Pod
policy: wildcard-support-in-matchlabels
resources:
- my-service-3
result: skip
rule: label-end-with-test
resource: my-service-3
kind: Pod
result: skip
- policy: wildcard-support-in-matchlabels
rule: label-start-with-test
resource: my-service-4
kind: Pod
- kind: Pod
policy: wildcard-support-in-matchlabels
resources:
- my-service-4
result: pass
- policy: wildcard-support-in-matchlabels
rule: label-start-with-test
resource: my-service-5
kind: Pod
- kind: Pod
policy: wildcard-support-in-matchlabels
resources:
- my-service-5
result: skip
rule: label-start-with-test

16
test/cli/test/wildcard_mutate/kyverno-test.yaml
View file

@ -4,15 +4,17 @@ policies:
resources:
- resources.yaml
results:
- policy: mutate-wildcard
rule: mutate-wildcard
resource: wildcard-mutate
- kind: Pod
patchedResource: patchedResource.yaml
kind: Pod
policy: mutate-wildcard
resources:
- wildcard-mutate
result: pass
- policy: mutate-wildcard
rule: mutate-wildcard
resource: wildcard-mutate-fail
- kind: Pod
patchedResource: patchedResource1.yaml
kind: Pod
policy: mutate-wildcard
resources:
- wildcard-mutate-fail
result: fail
rule: mutate-wildcard