mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
More kuttl standard generate tests (#6332)
* add test cpol-data-sync-delete-downstream Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test cpol-data-sync-modify-downstream Signed-off-by: Chip Zoller <chipzoller@gmail.com> * rename to be more descriptive Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test pol-data-sync-delete-downstream Signed-off-by: Chip Zoller <chipzoller@gmail.com> * cleanup test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test cpol-data-nosync-delete-rule Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test cpol-data-nosync-delete-policy Signed-off-by: Chip Zoller <chipzoller@gmail.com> * fix formatting Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add Kyverno kuttl specific snippets to BEST_PRACTICES Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add reminder note Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test cpol-data-nosync-modify-rule Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test cpol-data-nosync-modify-downstream Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test pol-data-nosync-create-policy-invalid Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test pol-data-sync-delete-policy Signed-off-by: Chip Zoller <chipzoller@gmail.com> * separate files Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test pol-data-nosync-delete-downstream Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test pol-data-nosync-delete-rule Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test pol-data-nosync-delete-policy Signed-off-by: Chip Zoller <chipzoller@gmail.com> * fix description Signed-off-by: Chip Zoller <chipzoller@gmail.com> * fix description Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test pol-data-nosync-modify-rule Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test pol-data-nosync-modify-downstream Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test existing-basic-create-data Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test existing-basic-create-preconditions-data Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add basic clone multiple test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add delays Signed-off-by: ShutingZhao <shuting@nirmata.com> * add generate permissions Signed-off-by: ShutingZhao <shuting@nirmata.com> * reorder source and ClusterPolicy, cleanup removal, README update Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add test for cascading-mutation Signed-off-by: Chip Zoller <chipzoller@gmail.com> * Change creation order, remove cleanup Signed-off-by: Chip Zoller <chipzoller@gmail.com> * increase sleep Signed-off-by: Chip Zoller <chipzoller@gmail.com> * remove unused test files Signed-off-by: Chip Zoller <chipzoller@gmail.com> * remove networkpolicies from perms Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add networkpolicies back Signed-off-by: Chip Zoller <chipzoller@gmail.com> * clarify readme Signed-off-by: Chip Zoller <chipzoller@gmail.com> --------- Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Chip Zoller
GitHub
parent
fb3a90c703
commit
bc7b73401e
187 changed files with 2138 additions and 40 deletions
|
|
@ -27,6 +27,7 @@ backgroundController:
|
|||
- '*'
|
||||
resources:
|
||||
- configmaps
|
||||
- networkpolicies
|
||||
- resourcequotas
|
||||
- secrets
|
||||
- roles
|
||||
|
|
|
|||
|
|
@ -1,6 +1,41 @@
|
|||
# Some Best Practices
|
||||
## Some Best Practices
|
||||
|
||||
* Don't put anything in index `00` so it can be used in the future.
|
||||
* A final clean-up stage/file is not needed unless a resource was created using a Script. Use scripts sparingly!
|
||||
* The `*-errors.yaml` file, like an `*-assert.yaml` file only performs an existence check, not a creation check.
|
||||
* One test can contain both positive and negative tests by extending the test case. No need to write separate.
|
||||
* One test can contain both positive and negative tests by extending the test case. No need to write separate.
|
||||
|
||||
## Kyverno kuttl specifics
|
||||
|
||||
Kyverno's fork of kuttl adds several new features not found in the upstream. These features were added to make testing Kyverno's many capabilities easier and more intuitive. Below are some sample TestStep contents which illustrate these features
|
||||
|
||||
### Apply, Assert, Errors, Deletes
|
||||
|
||||
A TestStep file can declare apply, assert, errors, and deletions by naming the files that should be checked or specifying an object (in the case of delete). These do not all have to be used together.
|
||||
|
||||
```yaml
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
error:
|
||||
- configmap-rejected.yaml
|
||||
delete:
|
||||
- apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: podsecurity-subrule-restricted
|
||||
```
|
||||
|
||||
### Checking for creation failures
|
||||
|
||||
When the expected behavior for a given manifest's creation should be that it fails (i.e., you want and expect to see it fail), a TestStep can declare this without needing to use a script.
|
||||
|
||||
```yaml
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- file: cleanuppolicy-with-subjects.yaml
|
||||
shouldFail: true
|
||||
```
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
|
||||
## Note that the need for this type of script is deprecated in favor of Kyverno kuttl's feature allowing a TestStep to
|
||||
## indicate that creation of a file should fail. See the BEST_PRACTICES.md file for an example.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- manifests.yaml
|
||||
- policy.yaml
|
||||
assert:
|
||||
- cluster-policy-ready.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- ns.yaml
|
||||
assert:
|
||||
- resource-assert.yaml
|
||||
error:
|
||||
- fail-resources.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic creation test of the "clone multiple" feature that ensures resources are created as expected by selecting the sources based upon label.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the `citrine` Namespace receives a Secret named `opal-secret` and a ConfigMap named `opal-cm`, the test passes. If it either does not receive one of these or it additionally receives a Secret named `forbidden`, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-multiple-basic-create-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
thisshouldnotbe: clonedanywhere
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: forbidden
|
||||
namespace: citrine
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: opal
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
gemstone: b3BhbA==
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: opal-secret
|
||||
namespace: opal
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
gemstone: opal
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: opal-cm
|
||||
namespace: opal
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
thisshouldnotbe: clonedanywhere
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: forbidden
|
||||
namespace: opal
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: citrine
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-multiple-basic-create-policy
|
||||
spec:
|
||||
rules:
|
||||
- name: clone-multiple-basic-create-policy-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize: true
|
||||
cloneList:
|
||||
namespace: opal
|
||||
kinds:
|
||||
- v1/Secret
|
||||
- v1/ConfigMap
|
||||
selector:
|
||||
matchLabels:
|
||||
allowedToBeCloned: "true"
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
gemstone: b3BhbA==
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
name: opal-secret
|
||||
namespace: citrine
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
gemstone: opal
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
name: opal-cm
|
||||
namespace: citrine
|
||||
|
|
@ -1,3 +1,12 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: default
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
|
|
@ -18,13 +27,4 @@ spec:
|
|||
synchronize: true
|
||||
clone:
|
||||
namespace: default
|
||||
name: regcred
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: default
|
||||
type: Opaque
|
||||
name: regcred
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -1,3 +1,11 @@
|
|||
# Title
|
||||
## Description
|
||||
|
||||
This is a generate test to ensure a cloned secret shows properly in the new Namespace.
|
||||
This is a basic generate test to ensure a cloned secret shows properly in the new Namespace.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource is created, the test passes. If it is not created, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -1,3 +1,12 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: default
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
|
|
@ -19,12 +28,3 @@ spec:
|
|||
clone:
|
||||
namespace: default
|
||||
name: regcred
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: default
|
||||
type: Opaque
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -1,3 +1,11 @@
|
|||
# Title
|
||||
|
||||
This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled deletes the downstream ConfigMap when matching a new Namespace.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the generated (downstream) resource is not recreated, the test passes. If it is recreated from the definition in the rule, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-generated.yaml
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
delete:
|
||||
- apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
name: cpol-data-nosync-delete-policy-policy
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: wolfram-debug
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule with a data declaration and NO synchronization, when the ClusterPolicy is deleted does NOT cause the generated resources to be deleted.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource remains after deletion of the ClusterPolicy, the test passes. If it is deleted, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-policy-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-policy-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-delete-policy-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: wolfram-debug
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: wolfram-debug
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-generated.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy-with-rule-removed.yaml
|
||||
assert:
|
||||
- both-resources-exist.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a rule within a policy having two rules is deleted does NOT cause any of the generated resources corresponding to that removed rule to be deleted.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If both generated resources remain after deletion of the rule, the test passes. If either one is deleted, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trench-splendid
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
name: supersecret
|
||||
namespace: trench-splendid
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-rule-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-rule-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-delete-rule-ruletwo
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: supersecret
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-delete-rule-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-delete-rule-ruleone
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
- name: cpol-data-nosync-delete-rule-ruletwo
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: supersecret
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trench-splendid
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somesecretvalue
|
||||
name: supersecret
|
||||
namespace: trench-splendid
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: trench-splendid
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-generated.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- downstream-modified.yaml
|
||||
assert:
|
||||
- downstream-untouched.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a downstream (generated) resource is modified this does NOT result in those modifications getting reverted based upon the definition in the rule.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource is left in the modified state, the test passes. If the downstream resource is synced from the definition in the rule, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: hereissomenewdataichanged
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: selected-beagle
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: hereissomenewdataichanged
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: selected-beagle
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-downstream-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-downstream-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-modify-downstream-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: selected-beagle
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: selected-beagle
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-generated.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- rule-modified.yaml
|
||||
assert:
|
||||
- downstream-untouched.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a rule within a policy is changed (under the data object) that this does NOT cause the downstream resource to be synced.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource is NOT modified from its initial generation, the test passes. If the downstream resource is synced from the changes made to the rule, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: stern-liquid
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-rule-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-rule-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-modify-rule-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: stern-liquid
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: stern-liquid
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-nosync-modify-rule-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-nosync-modify-rule-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "ihavechangedthis"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-delete-downstream-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-delete-downstream-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-sync-delete-downstream-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: falcon-heavy
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: falcon-heavy
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
delete:
|
||||
- apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: falcon-heavy
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: falcon-heavy
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that when a standard generate policy with data type and sync enabled is used, deletion of the generated/downstream resource causes Kyverno to re-create the resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the resource is recreated, the test passes. If it is not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-modify-downstream-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cpol-data-sync-modify-downstream-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: cpol-data-sync-modify-downstream-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- default
|
||||
- kube-public
|
||||
- kyverno
|
||||
generate:
|
||||
synchronize: true
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trainer
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: trainer
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: ichangedthis
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trainer
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
|
||||
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
name: zk-kafka-address
|
||||
namespace: trainer
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that when a standard generate policy with data type and sync enabled is used, modification of the generated/downstream resource causes Kyverno to sync the resource from the definition in the rule.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the resource is synced from the definition in the rule, the test passes. If it is not and remains in the modified state, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- existing-resources.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 5
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
assert:
|
||||
- generated-resources.yaml
|
||||
error:
|
||||
- fail-generated-resources.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic creation test for a "generate existing" policy. It checks that the basic functionality works whereby installation of the policy causes correct evaluation of the match block resulting in generation of resources in only the matching result.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If only the `red-ns` Namespace receives a generated NetworkPolicy, the test passes. If either it does not or `green-ns` or `winter-ns` receive NetworkPolicies, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: red-ns
|
||||
labels:
|
||||
color: red
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: green-ns
|
||||
labels:
|
||||
color: green
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: winter-ns
|
||||
labels:
|
||||
season: winter
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
labels:
|
||||
created-by: kyverno
|
||||
name: default-deny
|
||||
namespace: green-ns
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
labels:
|
||||
created-by: kyverno
|
||||
name: default-deny
|
||||
namespace: winter-ns
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
labels:
|
||||
created-by: kyverno
|
||||
name: default-deny
|
||||
namespace: red-ns
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: existing-basic-create-data-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: existing-basic-create-data-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- name: existing-basic-create-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
selector:
|
||||
matchLabels:
|
||||
color: red
|
||||
generate:
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
name: default-deny
|
||||
namespace: "{{request.object.metadata.name}}"
|
||||
synchronize: true
|
||||
data:
|
||||
metadata:
|
||||
labels:
|
||||
created-by: kyverno
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- existing-resources.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
assert:
|
||||
- generated-resources.yaml
|
||||
error:
|
||||
- fail-generated-resources.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic creation test for a "generate existing" policy with preconditions. It checks that the basic functionality works whereby installation of the policy causes correct evaluation of the match and preconditions blocks.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If only the `jupiter` Namespace receives a generated ConfigMap, the test passes. If either it does not or `venus` receives a ConfigMap, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: jupiter
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: test-lb
|
||||
namespace: jupiter
|
||||
spec:
|
||||
ports:
|
||||
- name: web
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: web
|
||||
selector:
|
||||
app.kubernetes.io/instance: jupiter-foobar
|
||||
type: LoadBalancer
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: venus
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: redis
|
||||
name: venus-clusterip-svc
|
||||
namespace: venus
|
||||
spec:
|
||||
ports:
|
||||
- name: tcp-redis
|
||||
port: 6379
|
||||
protocol: TCP
|
||||
targetPort: 6379
|
||||
selector:
|
||||
app.kubernetes.io/name: venus-redis
|
||||
type: ClusterIP
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
doeshavesvclb: "true"
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mylb-cm
|
||||
namespace: venus
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
doeshavesvclb: "true"
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mylb-cm
|
||||
namespace: jupiter
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: existing-basic-create-data-preconditions-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: existing-basic-create-data-preconditions-policy
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- name: existing-basic-create-data-preconditions-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Service
|
||||
preconditions:
|
||||
any:
|
||||
- key: "{{request.object.spec.type}}"
|
||||
operator: Equals
|
||||
value: LoadBalancer
|
||||
generate:
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
name: mylb-cm
|
||||
namespace: "{{request.object.metadata.namespace}}"
|
||||
synchronize: true
|
||||
data:
|
||||
data:
|
||||
doeshavesvclb: "true"
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- file: ns.yaml
|
||||
shouldFail: false
|
||||
- file: policy.yaml
|
||||
shouldFail: true
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test checks to ensure that a "bad" Policy (Namespaced) cannot be created which attempts to generate a resource into a different Namespace from that in which the Policy exists.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the Policy cannot be created, the test passes. If it is allowed to be created, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: indigiored
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: pol-data-nosync-create-policy-invalid-policy
|
||||
namespace: indigiored
|
||||
spec:
|
||||
rules:
|
||||
- name: pol-data-nosync-create-policy-invalid-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Secret
|
||||
generate:
|
||||
synchronize: false
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: zk-kafka-address
|
||||
namespace: kindbrown
|
||||
data:
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
somekey: somevalue
|
||||
data:
|
||||
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
|
||||
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue