test: new kuttl test for image verify failure policy (#6788)

* add a kuttl test

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* rename policy

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>

test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: failure-policy-test-noconfigmap-diffimage-success

test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: bad-pod.yaml
+  shouldFail: false

test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test verifies that resource creation is not blocked if the `failurePolicy` is set to `Ignore`, when there is an error resolving context variables.
+
+## Expected Behavior
+
+The pod should be created successfully.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/6742

test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/bad-pod.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-fail
+  namespace: failure-policy-test-noconfigmap-diffimage-success
+spec:
+  containers:
+  - image: ghcr.io/kyverno/test-verify-image:signed
+    name: test-fail

test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: image-verify-polset-failurepolicy-ignore
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+  name: image-verify-polset-failurepolicy-ignore
+spec:
+  background: false
+  failurePolicy: Ignore
+  rules:
+    - context:
+        - configMap:
+            name: myconfigmap
+            namespace: mynamespace
+          name: myconfigmap
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      name: image-verify-pol1
+      verifyImages:
+        - imageReferences:
+            - ghcr.io/*
+          mutateDigest: false
+          verifyDigest: false
+          attestors:
+            - entries:
+                - keys:
+                    publicKeys: '{{myconfigmap.data.configmapkey}}'
+  validationFailureAction: Audit
+  webhookTimeoutSeconds: 30