diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/01-pod.yaml b/test/conformance/kuttl/reports/background/verify-image-fail/01-pod.yaml new file mode 100644 index 0000000000..3e1752d840 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-fail/01-pod.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- pod.yaml +assert: +- pod-assert.yaml diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/02-policy.yaml b/test/conformance/kuttl/reports/background/verify-image-fail/02-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-fail/02-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/03-bgscanr.yaml b/test/conformance/kuttl/reports/background/verify-image-fail/03-bgscanr.yaml new file mode 100644 index 0000000000..b487be0540 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-fail/03-bgscanr.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- bgscanr-assert.yaml diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/README.md b/test/conformance/kuttl/reports/background/verify-image-fail/README.md new file mode 100644 index 0000000000..1f19882972 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-fail/README.md @@ -0,0 +1,10 @@ +# Title + +This test creates pods using an unsigned or not correctly signed image. +It then creates an image verification policy running in the background. + +Note: the pods have to be created first because we don't want the policy to apply at admission time. + +## Expected Behavior + +The pods are created and background scan reports are generated with a fail result. diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/bgscanr-assert.yaml b/test/conformance/kuttl/reports/background/verify-image-fail/bgscanr-assert.yaml new file mode 100644 index 0000000000..b6d480a579 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-fail/bgscanr-assert.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1alpha2 +kind: BackgroundScanReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: unsigned +spec: + summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 +--- +apiVersion: kyverno.io/v1alpha2 +kind: BackgroundScanReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: signed-by-someone-else +spec: + summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/pod-assert.yaml b/test/conformance/kuttl/reports/background/verify-image-fail/pod-assert.yaml new file mode 100644 index 0000000000..09d29aefb3 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-fail/pod-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: unsigned +--- +apiVersion: v1 +kind: Pod +metadata: + name: signed-by-someone-else diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/pod.yaml b/test/conformance/kuttl/reports/background/verify-image-fail/pod.yaml new file mode 100644 index 0000000000..375a2b5917 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-fail/pod.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: unsigned +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:unsigned + name: test-secret +--- +apiVersion: v1 +kind: Pod +metadata: + name: signed-by-someone-else +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed-by-someone-else + name: test-secret diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/policy-assert.yaml b/test/conformance/kuttl/reports/background/verify-image-fail/policy-assert.yaml new file mode 100644 index 0000000000..9b7835826a --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-fail/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: keyed-basic-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/policy.yaml b/test/conformance/kuttl/reports/background/verify-image-fail/policy.yaml new file mode 100644 index 0000000000..fd32eb4a0c --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-fail/policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: keyed-basic-policy +spec: + validationFailureAction: Audit + background: true + webhookTimeoutSeconds: 30 + rules: + - name: keyed-basic-rule + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - ghcr.io/kyverno/test-verify-image:* + verifyDigest: false + required: false + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/01-pod.yaml b/test/conformance/kuttl/reports/background/verify-image-pass/01-pod.yaml new file mode 100644 index 0000000000..3e1752d840 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-pass/01-pod.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- pod.yaml +assert: +- pod-assert.yaml diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/02-policy.yaml b/test/conformance/kuttl/reports/background/verify-image-pass/02-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-pass/02-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/03-bgscanr.yaml b/test/conformance/kuttl/reports/background/verify-image-pass/03-bgscanr.yaml new file mode 100644 index 0000000000..b487be0540 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-pass/03-bgscanr.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- bgscanr-assert.yaml diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/README.md b/test/conformance/kuttl/reports/background/verify-image-pass/README.md new file mode 100644 index 0000000000..66a4b67224 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-pass/README.md @@ -0,0 +1,10 @@ +# Title + +This test creates a pod using a valid signed image. +It then creates an image verification policy running in the background. + +Note: the pod has to be created first because we don't want the policy to apply at admission time. + +## Expected Behavior + +The pod is created and a background scan report is generated for it with a pass result. diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/bgscanr-assert.yaml b/test/conformance/kuttl/reports/background/verify-image-pass/bgscanr-assert.yaml new file mode 100644 index 0000000000..4549148fb2 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-pass/bgscanr-assert.yaml @@ -0,0 +1,14 @@ +apiVersion: kyverno.io/v1alpha2 +kind: BackgroundScanReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: signed +spec: + summary: + error: 0 + fail: 0 + pass: 1 + skip: 0 + warn: 0 diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/pod-assert.yaml b/test/conformance/kuttl/reports/background/verify-image-pass/pod-assert.yaml new file mode 100644 index 0000000000..d57097734d --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-pass/pod-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Pod +metadata: + name: signed diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/pod.yaml b/test/conformance/kuttl/reports/background/verify-image-pass/pod.yaml new file mode 100644 index 0000000000..9a7c8aeac0 --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-pass/pod.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: signed +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-secret diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/policy-assert.yaml b/test/conformance/kuttl/reports/background/verify-image-pass/policy-assert.yaml new file mode 100644 index 0000000000..9b7835826a --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-pass/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: keyed-basic-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/policy.yaml b/test/conformance/kuttl/reports/background/verify-image-pass/policy.yaml new file mode 100644 index 0000000000..fd32eb4a0c --- /dev/null +++ b/test/conformance/kuttl/reports/background/verify-image-pass/policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: keyed-basic-policy +spec: + validationFailureAction: Audit + background: true + webhookTimeoutSeconds: 30 + rules: + - name: keyed-basic-rule + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - ghcr.io/kyverno/test-verify-image:* + verifyDigest: false + required: false + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY-----