From b0243e1215110eb1538a5a7c859f835e001af443 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Wed, 22 Mar 2023 11:52:02 +0100 Subject: [PATCH] test: add kuttl tests for ephemeral containers (#6631) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .../standard/debug/with-pod/01-resources.yaml | 4 ++++ .../standard/debug/with-pod/02-policies.yaml | 6 ++++++ .../standard/debug/with-pod/03-debug.yaml | 10 ++++++++++ .../standard/debug/with-pod/README.md | 4 ++++ .../debug/with-pod/policies-assert.yaml | 9 +++++++++ .../standard/debug/with-pod/policies.yaml | 18 ++++++++++++++++++ .../standard/debug/with-pod/resources.yaml | 11 +++++++++++ .../debug/with-subresource/01-policies.yaml | 6 ++++++ .../debug/with-subresource/02-resources.yaml | 4 ++++ .../debug/with-subresource/03-debug.yaml | 10 ++++++++++ .../standard/debug/with-subresource/README.md | 4 ++++ .../with-subresource/policies-assert.yaml | 9 +++++++++ .../debug/with-subresource/policies.yaml | 18 ++++++++++++++++++ .../debug/with-subresource/resources.yaml | 11 +++++++++++ .../debug/with-wildcard/01-policies.yaml | 6 ++++++ .../debug/with-wildcard/02-resources.yaml | 4 ++++ .../standard/debug/with-wildcard/03-debug.yaml | 10 ++++++++++ .../standard/debug/with-wildcard/README.md | 4 ++++ .../debug/with-wildcard/policies-assert.yaml | 9 +++++++++ .../standard/debug/with-wildcard/policies.yaml | 18 ++++++++++++++++++ .../debug/with-wildcard/resources.yaml | 11 +++++++++++ 21 files changed, 186 insertions(+) create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/README.md create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/resources.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/README.md create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/README.md create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml new file mode 100644 index 0000000000..d6bc70b81d --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resources.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml new file mode 100644 index 0000000000..c52519accc --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policies.yaml +assert: +- policies-assert.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml new file mode 100644 index 0000000000..342706516a --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl debug --image=busybox foo + then + exit 1 + else + exit 0 + fi diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/README.md new file mode 100644 index 0000000000..bb85c86815 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `Pod` (we implicitly add the `ephemeralcontainers` subresource) and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies.yaml new file mode 100644 index 0000000000..94220c6ad6 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-pod/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml new file mode 100644 index 0000000000..c52519accc --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policies.yaml +assert: +- policies-assert.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml new file mode 100644 index 0000000000..d6bc70b81d --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resources.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml new file mode 100644 index 0000000000..342706516a --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl debug --image=busybox foo + then + exit 1 + else + exit 0 + fi diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/README.md new file mode 100644 index 0000000000..4c814b16c3 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `Pod/ephemeralcontainers` and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml new file mode 100644 index 0000000000..66d75f0f55 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - Pod/ephemeralcontainers + validate: + deny: {} diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml new file mode 100644 index 0000000000..c52519accc --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policies.yaml +assert: +- policies-assert.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml new file mode 100644 index 0000000000..d6bc70b81d --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resources.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml new file mode 100644 index 0000000000..342706516a --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl debug --image=busybox foo + then + exit 1 + else + exit 0 + fi diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/README.md new file mode 100644 index 0000000000..bb288e3ae2 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `*/ephemeralcontainers` and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml new file mode 100644 index 0000000000..64f4b261a1 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - '*/ephemeralcontainers' + validate: + deny: {} diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80