diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml new file mode 100644 index 0000000000..d6bc70b81d --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resources.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml new file mode 100644 index 0000000000..c52519accc --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policies.yaml +assert: +- policies-assert.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml new file mode 100644 index 0000000000..342706516a --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl debug --image=busybox foo + then + exit 1 + else + exit 0 + fi diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/README.md new file mode 100644 index 0000000000..bb85c86815 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `Pod` (we implicitly add the `ephemeralcontainers` subresource) and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies.yaml new file mode 100644 index 0000000000..94220c6ad6 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml new file mode 100644 index 0000000000..c52519accc --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policies.yaml +assert: +- policies-assert.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml new file mode 100644 index 0000000000..d6bc70b81d --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resources.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml new file mode 100644 index 0000000000..342706516a --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl debug --image=busybox foo + then + exit 1 + else + exit 0 + fi diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/README.md new file mode 100644 index 0000000000..4c814b16c3 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `Pod/ephemeralcontainers` and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml new file mode 100644 index 0000000000..66d75f0f55 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - Pod/ephemeralcontainers + validate: + deny: {} diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml new file mode 100644 index 0000000000..c52519accc --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policies.yaml +assert: +- policies-assert.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml new file mode 100644 index 0000000000..d6bc70b81d --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resources.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml new file mode 100644 index 0000000000..342706516a --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl debug --image=busybox foo + then + exit 1 + else + exit 0 + fi diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/README.md new file mode 100644 index 0000000000..bb288e3ae2 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `*/ephemeralcontainers` and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml new file mode 100644 index 0000000000..64f4b261a1 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - '*/ephemeralcontainers' + validate: + deny: {} diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80