mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-30 19:35:06 +00:00
feat: add chainsaw tests for generate policies (part 2) (#10795)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy
GitHub
parent
deab83d62f
commit
a32bdf1ac1
50 changed files with 727 additions and 8 deletions
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule in a Policy (Namespaced) with a data declaration and NO synchronization, when a rule within the Policy having two rules is deleted does NOT cause any of the generated resources corresponding to that removed rule to be deleted.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If both generated resources remain after deletion of the rule, the test passes. If either one is deleted, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: otter
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: otter
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: pol-data-nosync-delete-rule
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
- assert:
|
||||
file: resource-generated.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: policy-with-rule-removed.yaml
|
||||
- assert:
|
||||
file: both-resources-exist.yaml
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: pol-data-nosync-delete-rule-policy
|
||||
namespace: otter
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: otter
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: pol-data-nosync-delete-rule-policy
|
||||
namespace: otter
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: pol-data-nosync-delete-rule-policy-ruleone
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: otter
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: otter
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: pol-data-nosync-delete-rule-policy
|
||||
namespace: otter
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: pol-data-nosync-delete-rule-policy-ruleone
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: otter
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
- name: pol-data-nosync-delete-rule-policy-ruletwo
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Service
|
||||
generate:
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
name: default-deny
|
||||
namespace: otter
|
||||
synchronize: false
|
||||
data:
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: otter
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: default-deny
|
||||
namespace: otter
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: test-secret
|
||||
namespace: otter
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app: engsvcclusip
|
||||
name: engsvcclusip
|
||||
namespace: otter
|
||||
spec:
|
||||
ports:
|
||||
- name: 80-80
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 80
|
||||
selector:
|
||||
app: engsvcclusip
|
||||
sessionAffinity: None
|
||||
type: ClusterIP
|
||||
|
|
@ -9,7 +9,6 @@ metadata:
|
|||
name: pol-data-nosync-delete-rule-policy
|
||||
namespace: otter
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: pol-data-nosync-delete-rule-policy-ruleone
|
||||
match:
|
||||
|
|
@ -18,6 +17,7 @@ spec:
|
|||
kinds:
|
||||
- Secret
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@ metadata:
|
|||
name: pol-data-nosync-delete-rule-policy
|
||||
namespace: otter
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- name: pol-data-nosync-delete-rule-policy-ruleone
|
||||
match:
|
||||
|
|
@ -18,6 +17,7 @@ spec:
|
|||
kinds:
|
||||
- Secret
|
||||
generate:
|
||||
generateExisting: false
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
|
|
@ -38,6 +38,7 @@ spec:
|
|||
kinds:
|
||||
- Service
|
||||
generate:
|
||||
generateExisting: false
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
name: default-deny
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that deletion of a rule in a Policy (Namespaced) generate rule, data declaration, with sync enabled, results in the downstream resource's deletion.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The downstream (generated) resource is expected to be deleted if the corresponding rule within a Policy is deleted. If it is not deleted, the test fails. If it is deleted, the test passes.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/5744
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: pol-data-sync-delete-rule
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: multiple-gens
|
||||
namespace: pol-data-sync-delete-rule
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-delete-rule
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
names:
|
||||
- trigger-secret
|
||||
name: k-kafka-address
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
key: superconfigmap
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
kind: ConfigMap
|
||||
name: superconfigmap
|
||||
namespace: pol-data-sync-delete-rule
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
names:
|
||||
- trigger-secret
|
||||
name: super-configmap
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: multiple-gens
|
||||
namespace: pol-data-sync-delete-rule
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
org: kyverno
|
||||
name: trigger-secret
|
||||
namespace: pol-data-sync-delete-rule
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: multiple-gens
|
||||
namespace: pol-data-sync-delete-rule
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
key: superconfigmap
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
kind: ConfigMap
|
||||
name: superconfigmap
|
||||
namespace: pol-data-sync-delete-rule
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
names:
|
||||
- trigger-secret
|
||||
name: super-configmap
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: multiple-gens
|
||||
namespace: pol-data-sync-delete-rule
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: pol-data-sync-delete-rule
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-2.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-1.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- assert:
|
||||
file: configmap.yaml
|
||||
- assert:
|
||||
file: configmap-remain.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-04-apply-1-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-04-assert-1-1.yaml
|
||||
- name: step-05
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-06
|
||||
try:
|
||||
- assert:
|
||||
file: configmap-remain.yaml
|
||||
- error:
|
||||
file: configmap.yaml
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
key: superconfigmap
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: superconfigmap
|
||||
namespace: pol-data-sync-delete-rule
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-delete-rule
|
||||
|
|
@ -4,9 +4,9 @@ metadata:
|
|||
name: multiple-gens
|
||||
namespace: pol-data-sync-delete-rule
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: false
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
|
|
@ -29,6 +29,7 @@ spec:
|
|||
- trigger-secret
|
||||
name: k-kafka-address
|
||||
- generate:
|
||||
generateExisting: false
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
|
|
|
|||
|
|
@ -4,9 +4,9 @@ metadata:
|
|||
name: multiple-gens
|
||||
namespace: pol-data-sync-delete-rule
|
||||
spec:
|
||||
generateExisting: false
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: false
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a generate test to ensure a generate Policy using a data declaration with sync enabled and modifying the policy/rule propagates those changes to a downstream ConfigMap.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The downstream (generated) resource is expected to be synced from the corresponding rule within a Policy is modified. If it is not sync, the test fails. If it is synced, the test passes.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: pol-data-sync-modify-rule
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-modify-rule
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-modify-rule
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
name: k-kafka-address
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-modify-rule
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
org: kyverno
|
||||
name: trigger-secret
|
||||
namespace: pol-data-sync-modify-rule
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-modify-rule
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-modify-rule
|
||||
synchronize: true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
name: k-kafka-address
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-modify-rule
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-modify-rule
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: pol-data-sync-modify-rule
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-2.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-1.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-03-apply-1-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-03-assert-1-1.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- assert:
|
||||
file: chainsaw-step-04-assert-1-1.yaml
|
||||
|
|
@ -4,9 +4,9 @@ metadata:
|
|||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-modify-rule
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: true
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
|
|
|
|||
|
|
@ -4,9 +4,9 @@ metadata:
|
|||
name: zk-kafka-address
|
||||
namespace: pol-data-sync-modify-rule
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: true
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks the generateExisting namespaced policy is applied when the trigger is found in the same namespace as the policy.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the resource secret is created, the test passes. If it is not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/6519
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: match-trigger-namespace-ns
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
example.com/sm-sync: "true"
|
||||
name: regcred
|
||||
namespace: match-trigger-namespace-ns
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: match-trigger-namespace
|
||||
namespace: match-trigger-namespace-ns
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
modify: Zm9v
|
||||
kind: ConfigMap
|
||||
name: '{{request.object.metadata.name}}-modify'
|
||||
namespace: match-trigger-namespace-ns
|
||||
synchronize: true
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Secret
|
||||
selector:
|
||||
matchLabels:
|
||||
example.com/sm-sync: "true"
|
||||
name: get-synced-secrets
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: match-trigger-namespace
|
||||
namespace: match-trigger-namespace-ns
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
modify: Zm9v
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: regcred-modify
|
||||
namespace: match-trigger-namespace-ns
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: match-trigger-namespace
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-2.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-3.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-03
|
||||
try:
|
||||
- assert:
|
||||
file: chainsaw-step-03-assert-1-1.yaml
|
||||
|
|
@ -4,9 +4,9 @@ metadata:
|
|||
name: match-trigger-namespace
|
||||
namespace: match-trigger-namespace-ns
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: true
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks the generateExisting namespaced policy is not applied when the trigger is not found in the same namespace as the policy.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the resource secret is not created, the test passes. If it is created, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/6519
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: non-match-trigger-namespace-ns
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: non-match-trigger-namespace-ns-2
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
example.com/sm-sync: "true"
|
||||
name: regcred
|
||||
namespace: non-match-trigger-namespace-ns-2
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: non-match-trigger-namespace
|
||||
namespace: non-match-trigger-namespace-ns
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
modify: Zm9v
|
||||
kind: ConfigMap
|
||||
name: '{{request.object.metadata.name}}-modify'
|
||||
namespace: non-match-trigger-namespace-ns
|
||||
synchronize: true
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Secret
|
||||
selector:
|
||||
matchLabels:
|
||||
example.com/sm-sync: "true"
|
||||
name: get-synced-secrets
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: non-match-trigger-namespace
|
||||
namespace: non-match-trigger-namespace-ns
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
modify: Zm9v
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: regcred-modify
|
||||
namespace: non-match-trigger-namespace-ns
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: non-match-trigger-namespace
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-2.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-3.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1-4.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- name: step-03
|
||||
try:
|
||||
- error:
|
||||
file: chainsaw-step-03-error-1-1.yaml
|
||||
|
|
@ -4,9 +4,9 @@ metadata:
|
|||
name: non-match-trigger-namespace
|
||||
namespace: non-match-trigger-namespace-ns
|
||||
spec:
|
||||
generateExisting: true
|
||||
rules:
|
||||
- generate:
|
||||
generateExisting: true
|
||||
apiVersion: v1
|
||||
data:
|
||||
data:
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue