From af14780f5c72e1a887ef15f72e5e2b344edff9c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 27 Oct 2023 18:33:58 +0200 Subject: [PATCH] chore: run tests with chainsaw (#8762) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .github/workflows/conformance.yaml | 93 +++++++++++++++++++ test/conformance/chainsaw/_config/common.yaml | 10 ++ .../webhooks/all-scale/01-policy.yaml | 11 +++ .../webhooks/all-scale/02-webhooks.yaml | 9 ++ .../chainsaw/webhooks/all-scale/README.md | 9 ++ .../webhooks/all-scale/policy-assert.yaml | 9 ++ .../chainsaw/webhooks/all-scale/policy.yaml | 22 +++++ .../chainsaw/webhooks/all-scale/webhooks.yaml | 20 ++++ .../webhooks/double-wildcard/01-policy.yaml | 11 +++ .../webhooks/double-wildcard/02-webhooks.yaml | 9 ++ .../webhooks/double-wildcard/README.md | 9 ++ .../double-wildcard/policy-assert.yaml | 9 ++ .../webhooks/double-wildcard/policy.yaml | 22 +++++ .../webhooks/double-wildcard/webhooks.yaml | 21 +++++ .../expected-webhooks/01-webhooks.yaml | 9 ++ .../webhooks/expected-webhooks/README.md | 11 +++ .../webhooks/expected-webhooks/webhooks.yaml | 34 +++++++ .../chainsaw/webhooks/only-pod/01-policy.yaml | 11 +++ .../webhooks/only-pod/02-webhooks.yaml | 9 ++ .../chainsaw/webhooks/only-pod/README.md | 9 ++ .../webhooks/only-pod/policy-assert.yaml | 9 ++ .../chainsaw/webhooks/only-pod/policy.yaml | 22 +++++ .../chainsaw/webhooks/only-pod/webhooks.yaml | 21 +++++ .../pod-all-subresources/01-policy.yaml | 11 +++ .../pod-all-subresources/02-webhooks.yaml | 9 ++ .../webhooks/pod-all-subresources/README.md | 9 ++ .../pod-all-subresources/policy-assert.yaml | 9 ++ .../webhooks/pod-all-subresources/policy.yaml | 22 +++++ .../pod-all-subresources/webhooks.yaml | 28 ++++++ .../chainsaw/webhooks/scale/01-policy.yaml | 8 ++ .../chainsaw/webhooks/scale/README.md | 4 + .../chainsaw/webhooks/scale/policy.yaml | 22 +++++ .../unknown-kind/01-unknown-kind.yaml | 8 ++ .../02-unknown-kind-subresource.yaml | 8 ++ .../unknown-kind/03-wrong-version.yaml | 8 ++ .../unknown-kind/04-unknown-subresource.yaml | 8 ++ .../chainsaw/webhooks/unknown-kind/README.md | 4 + .../webhooks/unknown-kind/policy-1.yaml | 20 ++++ .../webhooks/unknown-kind/policy-2.yaml | 20 ++++ .../webhooks/unknown-kind/policy-3.yaml | 20 ++++ .../webhooks/unknown-kind/policy-4.yaml | 20 ++++ .../chainsaw/webhooks/wildcard/01-policy.yaml | 11 +++ .../webhooks/wildcard/02-webhooks.yaml | 9 ++ .../chainsaw/webhooks/wildcard/README.md | 9 ++ .../webhooks/wildcard/policy-assert.yaml | 9 ++ .../chainsaw/webhooks/wildcard/policy.yaml | 22 +++++ .../chainsaw/webhooks/wildcard/webhooks.yaml | 22 +++++ 47 files changed, 719 insertions(+) create mode 100755 test/conformance/chainsaw/_config/common.yaml create mode 100644 test/conformance/chainsaw/webhooks/all-scale/01-policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/all-scale/02-webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/all-scale/README.md create mode 100644 test/conformance/chainsaw/webhooks/all-scale/policy-assert.yaml create mode 100644 test/conformance/chainsaw/webhooks/all-scale/policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/all-scale/webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/double-wildcard/01-policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/double-wildcard/02-webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/double-wildcard/README.md create mode 100644 test/conformance/chainsaw/webhooks/double-wildcard/policy-assert.yaml create mode 100644 test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/double-wildcard/webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/expected-webhooks/01-webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/expected-webhooks/README.md create mode 100644 test/conformance/chainsaw/webhooks/expected-webhooks/webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/only-pod/01-policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/only-pod/02-webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/only-pod/README.md create mode 100644 test/conformance/chainsaw/webhooks/only-pod/policy-assert.yaml create mode 100644 test/conformance/chainsaw/webhooks/only-pod/policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/only-pod/webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/pod-all-subresources/01-policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/pod-all-subresources/02-webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/pod-all-subresources/README.md create mode 100644 test/conformance/chainsaw/webhooks/pod-all-subresources/policy-assert.yaml create mode 100644 test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/pod-all-subresources/webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/scale/01-policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/scale/README.md create mode 100644 test/conformance/chainsaw/webhooks/scale/policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/unknown-kind/01-unknown-kind.yaml create mode 100644 test/conformance/chainsaw/webhooks/unknown-kind/02-unknown-kind-subresource.yaml create mode 100644 test/conformance/chainsaw/webhooks/unknown-kind/03-wrong-version.yaml create mode 100644 test/conformance/chainsaw/webhooks/unknown-kind/04-unknown-subresource.yaml create mode 100644 test/conformance/chainsaw/webhooks/unknown-kind/README.md create mode 100644 test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml create mode 100644 test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml create mode 100644 test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml create mode 100644 test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml create mode 100644 test/conformance/chainsaw/webhooks/wildcard/01-policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/wildcard/02-webhooks.yaml create mode 100644 test/conformance/chainsaw/webhooks/wildcard/README.md create mode 100644 test/conformance/chainsaw/webhooks/wildcard/policy-assert.yaml create mode 100644 test/conformance/chainsaw/webhooks/wildcard/policy.yaml create mode 100644 test/conformance/chainsaw/webhooks/wildcard/webhooks.yaml diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index e0f65b0f71..143506a07e 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -156,6 +156,99 @@ jobs: if: failure() uses: ./.github/actions/kyverno-logs + chainsaw: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: standard + values: + - standard + k8s-version: + - name: v1.25 + version: v1.25.11 + - name: v1.26 + version: v1.26.6 + - name: v1.27 + version: v1.27.3 + - name: v1.28 + version: v1.28.0 + tests: + # - autogen + # - background-only + # - cleanup + # - deferred + # - events + # - exceptions + # - filter + # - generate/clusterpolicy + # - generate/policy + # - generate/validation + # - mutate + # - policy-validation + # - rangeoperators + # - rbac + # - reports + # - validate + # - verify-manifests + # - verifyImages + - webhooks + needs: prepare-images + name: chainsaw - ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: run-conformance + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: Create kind cluster + shell: bash + run: | + set -e + export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }} + make kind-create-cluster + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + make kind-load-image-archive + - name: Install kyverno + shell: bash + run: | + set -e + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + - name: Install Chainsaw + shell: bash + run: | + set -e + go install github.com/kyverno/chainsaw@ffa5508c1d0fbba24d70a3a51ef777392a9b32b6 + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + chainsaw test --config ./test/conformance/chainsaw/_config/common.yaml --test-dir ./test/conformance/chainsaw/${{ matrix.tests }} --no-color=false + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + # runs conformance test suites with configuration: ttl: runs-on: ubuntu-latest diff --git a/test/conformance/chainsaw/_config/common.yaml b/test/conformance/chainsaw/_config/common.yaml new file mode 100755 index 0000000000..6b9d5ed588 --- /dev/null +++ b/test/conformance/chainsaw/_config/common.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Configuration +metadata: + name: congiguration +spec: + parallel: 1 + timeout: 1m30s + fullName: true + failFast: true + excludeTestRegex: '_.+' diff --git a/test/conformance/chainsaw/webhooks/all-scale/01-policy.yaml b/test/conformance/chainsaw/webhooks/all-scale/01-policy.yaml new file mode 100644 index 0000000000..836f640264 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/all-scale/01-policy.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + apply: + - file: policy.yaml + assert: + - file: policy-assert.yaml diff --git a/test/conformance/chainsaw/webhooks/all-scale/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/all-scale/02-webhooks.yaml new file mode 100644 index 0000000000..549d5ba6af --- /dev/null +++ b/test/conformance/chainsaw/webhooks/all-scale/02-webhooks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: webhooks +spec: + assert: + - file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/all-scale/README.md b/test/conformance/chainsaw/webhooks/all-scale/README.md new file mode 100644 index 0000000000..ab3d2f0064 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/all-scale/README.md @@ -0,0 +1,9 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a policy targets all `*/scale` subresources. + +## Steps + +1. - Create a policy targeting `*/scale` + - Assert policy gets ready +1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/all-scale/policy-assert.yaml b/test/conformance/chainsaw/webhooks/all-scale/policy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/all-scale/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/all-scale/policy.yaml b/test/conformance/chainsaw/webhooks/all-scale/policy.yaml new file mode 100644 index 0000000000..292f5ba0b8 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/all-scale/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - '*/scale' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/all-scale/webhooks.yaml b/test/conformance/chainsaw/webhooks/all-scale/webhooks.yaml new file mode 100644 index 0000000000..07c43a20f7 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/all-scale/webhooks.yaml @@ -0,0 +1,20 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - '*/scale' + scope: '*' diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/01-policy.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/01-policy.yaml new file mode 100644 index 0000000000..836f640264 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/double-wildcard/01-policy.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + apply: + - file: policy.yaml + assert: + - file: policy-assert.yaml diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/02-webhooks.yaml new file mode 100644 index 0000000000..549d5ba6af --- /dev/null +++ b/test/conformance/chainsaw/webhooks/double-wildcard/02-webhooks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: webhooks +spec: + assert: + - file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/README.md b/test/conformance/chainsaw/webhooks/double-wildcard/README.md new file mode 100644 index 0000000000..238aa3e761 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/double-wildcard/README.md @@ -0,0 +1,9 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a policy targets all `*/*` resources and subresources. + +## Steps + +1. - Create a policy targeting `*/*` + - Assert policy gets ready +1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/policy-assert.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/policy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/double-wildcard/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml new file mode 100644 index 0000000000..92d84826be --- /dev/null +++ b/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - '*/*' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/webhooks.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/webhooks.yaml new file mode 100644 index 0000000000..13b2b04673 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/double-wildcard/webhooks.yaml @@ -0,0 +1,21 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - '*/*' + scope: '*' diff --git a/test/conformance/chainsaw/webhooks/expected-webhooks/01-webhooks.yaml b/test/conformance/chainsaw/webhooks/expected-webhooks/01-webhooks.yaml new file mode 100644 index 0000000000..549d5ba6af --- /dev/null +++ b/test/conformance/chainsaw/webhooks/expected-webhooks/01-webhooks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: webhooks +spec: + assert: + - file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/expected-webhooks/README.md b/test/conformance/chainsaw/webhooks/expected-webhooks/README.md new file mode 100644 index 0000000000..6d310c94ab --- /dev/null +++ b/test/conformance/chainsaw/webhooks/expected-webhooks/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies expected webhooks are created. + +## Steps + +1. - Assert webhook `kyverno-policy-validating-webhook-cfg` exists + - Assert webhook `kyverno-resource-validating-webhook-cfg` exists + - Assert webhook `kyverno-policy-mutating-webhook-cfg` exists + - Assert webhook `kyverno-resource-mutating-webhook-cfg` exists + - Assert webhook `kyverno-verify-mutating-webhook-cfg` exists diff --git a/test/conformance/chainsaw/webhooks/expected-webhooks/webhooks.yaml b/test/conformance/chainsaw/webhooks/expected-webhooks/webhooks.yaml new file mode 100644 index 0000000000..5cbb2e7544 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/expected-webhooks/webhooks.yaml @@ -0,0 +1,34 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-policy-validating-webhook-cfg +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-policy-mutating-webhook-cfg +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-mutating-webhook-cfg +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-verify-mutating-webhook-cfg diff --git a/test/conformance/chainsaw/webhooks/only-pod/01-policy.yaml b/test/conformance/chainsaw/webhooks/only-pod/01-policy.yaml new file mode 100644 index 0000000000..836f640264 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/only-pod/01-policy.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + apply: + - file: policy.yaml + assert: + - file: policy-assert.yaml diff --git a/test/conformance/chainsaw/webhooks/only-pod/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/only-pod/02-webhooks.yaml new file mode 100644 index 0000000000..549d5ba6af --- /dev/null +++ b/test/conformance/chainsaw/webhooks/only-pod/02-webhooks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: webhooks +spec: + assert: + - file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/only-pod/README.md b/test/conformance/chainsaw/webhooks/only-pod/README.md new file mode 100644 index 0000000000..875668ed3d --- /dev/null +++ b/test/conformance/chainsaw/webhooks/only-pod/README.md @@ -0,0 +1,9 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a policy targets `Pod`. + +## Steps + +1. - Create a policy targeting `Pod` + - Assert policy gets ready +1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/only-pod/policy-assert.yaml b/test/conformance/chainsaw/webhooks/only-pod/policy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/only-pod/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/only-pod/policy.yaml b/test/conformance/chainsaw/webhooks/only-pod/policy.yaml new file mode 100644 index 0000000000..8349e314ec --- /dev/null +++ b/test/conformance/chainsaw/webhooks/only-pod/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - Pod + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/only-pod/webhooks.yaml b/test/conformance/chainsaw/webhooks/only-pod/webhooks.yaml new file mode 100644 index 0000000000..49a26e89be --- /dev/null +++ b/test/conformance/chainsaw/webhooks/only-pod/webhooks.yaml @@ -0,0 +1,21 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - pods + - pods/ephemeralcontainers + scope: '*' diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/01-policy.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/01-policy.yaml new file mode 100644 index 0000000000..836f640264 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/01-policy.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + apply: + - file: policy.yaml + assert: + - file: policy-assert.yaml diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/02-webhooks.yaml new file mode 100644 index 0000000000..549d5ba6af --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/02-webhooks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: webhooks +spec: + assert: + - file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/README.md b/test/conformance/chainsaw/webhooks/pod-all-subresources/README.md new file mode 100644 index 0000000000..cc43b07a19 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/README.md @@ -0,0 +1,9 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a policy targets all `Pod/*` subresources. + +## Steps + +1. - Create a policy targeting `Pod/*` + - Assert policy gets ready +1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/policy-assert.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml new file mode 100644 index 0000000000..2faf585890 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - Pod/* + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/webhooks.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/webhooks.yaml new file mode 100644 index 0000000000..9766dc5d34 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/webhooks.yaml @@ -0,0 +1,28 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - pods/attach + - pods/binding + - pods/ephemeralcontainers + - pods/eviction + - pods/exec + - pods/log + - pods/portforward + - pods/proxy + - pods/status + scope: '*' diff --git a/test/conformance/chainsaw/webhooks/scale/01-policy.yaml b/test/conformance/chainsaw/webhooks/scale/01-policy.yaml new file mode 100644 index 0000000000..dfa674b5c1 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/scale/01-policy.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + apply: + - file: policy.yaml + shouldFail: true diff --git a/test/conformance/chainsaw/webhooks/scale/README.md b/test/conformance/chainsaw/webhooks/scale/README.md new file mode 100644 index 0000000000..df716980c1 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/scale/README.md @@ -0,0 +1,4 @@ +## Description + +This test tries to create a policy targeting the `Scale` kind. +The `Scale` kind doesn't map to a top level resource and therefore the policy is expected to be rejected. \ No newline at end of file diff --git a/test/conformance/chainsaw/webhooks/scale/policy.yaml b/test/conformance/chainsaw/webhooks/scale/policy.yaml new file mode 100644 index 0000000000..bd4a502ad9 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/scale/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - Scale + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/01-unknown-kind.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/01-unknown-kind.yaml new file mode 100644 index 0000000000..be147e1a1a --- /dev/null +++ b/test/conformance/chainsaw/webhooks/unknown-kind/01-unknown-kind.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: unknown-kind +spec: + apply: + - file: policy-1.yaml + shouldFail: true diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/02-unknown-kind-subresource.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/02-unknown-kind-subresource.yaml new file mode 100644 index 0000000000..6837ef0c48 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/unknown-kind/02-unknown-kind-subresource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: unknown-kind-subresource +spec: + apply: + - file: policy-2.yaml + shouldFail: true diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/03-wrong-version.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/03-wrong-version.yaml new file mode 100644 index 0000000000..9e2f61d8a5 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/unknown-kind/03-wrong-version.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: wrong-version +spec: + apply: + - file: policy-3.yaml + shouldFail: true diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/04-unknown-subresource.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/04-unknown-subresource.yaml new file mode 100644 index 0000000000..5275bf0d8b --- /dev/null +++ b/test/conformance/chainsaw/webhooks/unknown-kind/04-unknown-subresource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: unknown-subresource +spec: + apply: + - file: policy-4.yaml + shouldFail: true diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/README.md b/test/conformance/chainsaw/webhooks/unknown-kind/README.md new file mode 100644 index 0000000000..6e44bf80c1 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/unknown-kind/README.md @@ -0,0 +1,4 @@ +## Description + +This test tries to create policies with different combinations of unknown kind and/or subresource. +The policies should be rejected. diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml new file mode 100644 index 0000000000..5a6be03550 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: unknown +spec: + validationFailureAction: Audit + background: false + rules: + - name: unknown + match: + any: + - resources: + kinds: + - Foo + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml new file mode 100644 index 0000000000..7d0cf31fc5 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: unknown +spec: + validationFailureAction: Audit + background: false + rules: + - name: unknown + match: + any: + - resources: + kinds: + - Foo/* + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml new file mode 100644 index 0000000000..57d255ae5b --- /dev/null +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: unknown +spec: + validationFailureAction: Audit + background: false + rules: + - name: unknown + match: + any: + - resources: + kinds: + - v2/Pod + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml new file mode 100644 index 0000000000..f77bc622c6 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: unknown +spec: + validationFailureAction: Audit + background: false + rules: + - name: unknown + match: + any: + - resources: + kinds: + - Pod/foo + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/wildcard/01-policy.yaml b/test/conformance/chainsaw/webhooks/wildcard/01-policy.yaml new file mode 100644 index 0000000000..836f640264 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/wildcard/01-policy.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + apply: + - file: policy.yaml + assert: + - file: policy-assert.yaml diff --git a/test/conformance/chainsaw/webhooks/wildcard/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/wildcard/02-webhooks.yaml new file mode 100644 index 0000000000..549d5ba6af --- /dev/null +++ b/test/conformance/chainsaw/webhooks/wildcard/02-webhooks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: webhooks +spec: + assert: + - file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/wildcard/README.md b/test/conformance/chainsaw/webhooks/wildcard/README.md new file mode 100644 index 0000000000..cfa667ac58 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/wildcard/README.md @@ -0,0 +1,9 @@ +## Description + +This test verifies the resource validation webhook is configured correctly when a policy targets all `*` resources. + +## Steps + +1. - Create a policy targeting `*` + - Assert policy gets ready +1. - Assert that the resource validation webhook is configured correctly diff --git a/test/conformance/chainsaw/webhooks/wildcard/policy-assert.yaml b/test/conformance/chainsaw/webhooks/wildcard/policy-assert.yaml new file mode 100644 index 0000000000..2993bbaa6e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/wildcard/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/wildcard/policy.yaml b/test/conformance/chainsaw/webhooks/wildcard/policy.yaml new file mode 100644 index 0000000000..ce9f80c1e3 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/wildcard/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - '*' + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/webhooks/wildcard/webhooks.yaml b/test/conformance/chainsaw/webhooks/wildcard/webhooks.yaml new file mode 100644 index 0000000000..281adc9a9f --- /dev/null +++ b/test/conformance/chainsaw/webhooks/wildcard/webhooks.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- failurePolicy: Fail + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - '*' + - pods/ephemeralcontainers + scope: '*'