feat: add kuttl tests for validating admission policy backgroundscan reports (#8292)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-09-07 05:22:12 +03:00 · 2023-09-07 05:22:12 +03:00 · bbd137db24
commit bbd137db24
parent 7065d5da37
20 changed files with 280 additions and 0 deletions
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@ -390,6 +390,116 @@ jobs:
      - name: Debug failure
        if: failure()
        uses: ./.github/actions/kyverno-logs
+  
+  # runs conformance test suites with configuration:
+  validating-admission-policy-reports-v1alpha1:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    strategy:
+      fail-fast: false
+      matrix:
+        config:
+          - name: validating-admission-policy-reports
+            values:
+              - standard
+              - validating-admission-policy-reports
+        k8s-version:
+          - name: v1.26
+            version: v1.26.6
+          - name: v1.27
+            version: v1.27.3
+        tests:
+          - validating-admission-policy-reports
+    needs: prepare-images
+    name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - name: Setup build env
+        uses: ./.github/actions/setup-build-env
+        with:
+          build-cache-key: run-conformance
+      - name: Create kind cluster
+        run: |
+          export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
+          export KIND_CONFIG=vap-v1alpha1
+          make kind-create-cluster
+      - name: Download kyverno images archive
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: kyverno.tar
+      - name: Load kyverno images archive in kind cluster
+        run: make kind-load-image-archive
+      - name: Install kyverno
+        run: |
+          export USE_CONFIG=${{ join(matrix.config.values, ',') }}
+          make kind-install-kyverno
+      - name: Wait for kyverno ready
+        uses: ./.github/actions/kyverno-wait-ready
+      - name: Test with kuttl
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
+            --config ./test/conformance/kuttl/_config/common.yaml
+      - name: Debug failure
+        if: failure()
+        uses: ./.github/actions/kyverno-logs
+  
+  # runs conformance test suites with configuration:
+  validating-admission-policy-reports-v1beta1:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    strategy:
+      fail-fast: false
+      matrix:
+        config:
+          - name: validating-admission-policy-reports
+            values:
+              - standard
+              - validating-admission-policy-reports
+        k8s-version:
+          - name: v1.28
+            version: v1.28.0
+        tests:
+          - validating-admission-policy-reports
+    needs: prepare-images
+    name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - name: Setup build env
+        uses: ./.github/actions/setup-build-env
+        with:
+          build-cache-key: run-conformance
+      - name: Create kind cluster
+        run: |
+          export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
+          export KIND_CONFIG=vap-v1beta1
+          make kind-create-cluster
+      - name: Download kyverno images archive
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: kyverno.tar
+      - name: Load kyverno images archive in kind cluster
+        run: make kind-load-image-archive
+      - name: Install kyverno
+        run: |
+          export USE_CONFIG=${{ join(matrix.config.values, ',') }}
+          make kind-install-kyverno
+      - name: Wait for kyverno ready
+        uses: ./.github/actions/kyverno-wait-ready
+      - name: Test with kuttl
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
+            --config ./test/conformance/kuttl/_config/common.yaml
+      - name: Debug failure
+        if: failure()
+        uses: ./.github/actions/kyverno-logs

  # runs conformance test suites with configuration:
  default:
--- a/scripts/config/validating-admission-policy-reports/kyverno.yaml
+++ b/scripts/config/validating-admission-policy-reports/kyverno.yaml
@ -0,0 +1,16 @@
+features:
+  validatingAdmissionPolicyReports:
+    enabled: true
+
+reportsController:
+  rbac:
+    clusterRole:
+      extraResources:
+      - apiGroups:
+          - admissionregistration.k8s.io
+        resources:
+          - validatingadmissionpolicies
+          - validatingadmissionpolicybindings
+        verbs:
+          - get
+          - list
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/01-deployment.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/01-deployment.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- deployment.yaml
+assert:
+- deployment-assert.yaml
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/02-policy.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/02-policy.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy.yaml
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/03-bgscanr.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/03-bgscanr.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- bgscanr-assert.yaml
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/04-sleep.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/04-sleep.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 4
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/README.md
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/README.md
@ -0,0 +1,8 @@
+# Title
+
+This test creates a deployment with four replicas.
+It then creates a validating admission policy that checks the replicas of the deployment.
+
+## Expected Behavior
+
+The deployment is created and a background scan report is generated for it with a fail result.
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/bgscanr-assert.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/bgscanr-assert.yaml
@ -0,0 +1,14 @@
+apiVersion: kyverno.io/v1alpha2
+kind: BackgroundScanReport
+metadata:
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: deployment-fail
+spec:
+  summary:
+    error: 0
+    fail: 1
+    pass: 0
+    skip: 0
+    warn: 0
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/deployment-assert.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/deployment-assert.yaml
@ -0,0 +1,4 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/deployment.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/deployment.yaml
@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail
+spec:
+  replicas: 4
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+      - name: container2
+        image: nginx
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/policy.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-fail/policy.yaml
@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: check-deployment-replicas-02
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 3"
+      message: "Deployment spec.replicas must be less than 3."
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/01-deployment.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/01-deployment.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- deployment.yaml
+assert:
+- deployment-assert.yaml
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/02-policy.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/02-policy.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy.yaml
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/03-bgscanr.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/03-bgscanr.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- bgscanr-assert.yaml
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/04-sleep.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/04-sleep.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 4
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/README.md
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/README.md
@ -0,0 +1,8 @@
+# Title
+
+This test creates a deployment with two replicas.
+It then creates a validating admission policy that checks the replicas of the deployment.
+
+## Expected Behavior
+
+The deployment is created and a background scan report is generated for it with a pass result.
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/bgscanr-assert.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/bgscanr-assert.yaml
@ -0,0 +1,14 @@
+apiVersion: kyverno.io/v1alpha2
+kind: BackgroundScanReport
+metadata:
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: deployment-pass
+spec:
+  summary:
+    error: 0
+    fail: 0
+    pass: 1
+    skip: 0
+    warn: 0
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/deployment-assert.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/deployment-assert.yaml
@ -0,0 +1,4 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-pass
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/deployment.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/deployment.yaml
@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-pass
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+      - name: container2
+        image: nginx
--- a/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/policy.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/background/validating-admission-policy-pass/policy.yaml
@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: check-deployment-replicas-01
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 3"
+      message: "Deployment spec.replicas must be less than 3."