mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
test: bgscan report with image verification rule passing (#6728)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
749ea6dacf
commit
af526ff350
18 changed files with 207 additions and 0 deletions
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- pod.yaml
|
||||
assert:
|
||||
- pod-assert.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-assert.yaml
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
assert:
|
||||
- bgscanr-assert.yaml
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
# Title
|
||||
|
||||
This test creates pods using an unsigned or not correctly signed image.
|
||||
It then creates an image verification policy running in the background.
|
||||
|
||||
Note: the pods have to be created first because we don't want the policy to apply at admission time.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The pods are created and background scan reports are generated with a fail result.
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: kyverno.io/v1alpha2
|
||||
kind: BackgroundScanReport
|
||||
metadata:
|
||||
ownerReferences:
|
||||
- apiVersion: v1
|
||||
kind: Pod
|
||||
name: unsigned
|
||||
spec:
|
||||
summary:
|
||||
error: 0
|
||||
fail: 1
|
||||
pass: 0
|
||||
skip: 0
|
||||
warn: 0
|
||||
---
|
||||
apiVersion: kyverno.io/v1alpha2
|
||||
kind: BackgroundScanReport
|
||||
metadata:
|
||||
ownerReferences:
|
||||
- apiVersion: v1
|
||||
kind: Pod
|
||||
name: signed-by-someone-else
|
||||
spec:
|
||||
summary:
|
||||
error: 0
|
||||
fail: 1
|
||||
pass: 0
|
||||
skip: 0
|
||||
warn: 0
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: unsigned
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: signed-by-someone-else
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: unsigned
|
||||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/kyverno/test-verify-image:unsigned
|
||||
name: test-secret
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: signed-by-someone-else
|
||||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/kyverno/test-verify-image:signed-by-someone-else
|
||||
name: test-secret
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: keyed-basic-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: keyed-basic-policy
|
||||
spec:
|
||||
validationFailureAction: Audit
|
||||
background: true
|
||||
webhookTimeoutSeconds: 30
|
||||
rules:
|
||||
- name: keyed-basic-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- ghcr.io/kyverno/test-verify-image:*
|
||||
verifyDigest: false
|
||||
required: false
|
||||
attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- pod.yaml
|
||||
assert:
|
||||
- pod-assert.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-assert.yaml
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
assert:
|
||||
- bgscanr-assert.yaml
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
# Title
|
||||
|
||||
This test creates a pod using a valid signed image.
|
||||
It then creates an image verification policy running in the background.
|
||||
|
||||
Note: the pod has to be created first because we don't want the policy to apply at admission time.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The pod is created and a background scan report is generated for it with a pass result.
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: kyverno.io/v1alpha2
|
||||
kind: BackgroundScanReport
|
||||
metadata:
|
||||
ownerReferences:
|
||||
- apiVersion: v1
|
||||
kind: Pod
|
||||
name: signed
|
||||
spec:
|
||||
summary:
|
||||
error: 0
|
||||
fail: 0
|
||||
pass: 1
|
||||
skip: 0
|
||||
warn: 0
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: signed
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: signed
|
||||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/kyverno/test-verify-image:signed
|
||||
name: test-secret
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: keyed-basic-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: keyed-basic-policy
|
||||
spec:
|
||||
validationFailureAction: Audit
|
||||
background: true
|
||||
webhookTimeoutSeconds: 30
|
||||
rules:
|
||||
- name: keyed-basic-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- ghcr.io/kyverno/test-verify-image:*
|
||||
verifyDigest: false
|
||||
required: false
|
||||
attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
Loading…
Add table
Reference in a new issue