chainsaw test to check messageExpression interpolation (#12415)

Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-21 23:32:27 +00:00 · 2025-03-17 19:36:12 +05:30 · 2025-03-17 19:36:12 +05:30 · be974e7d93
commit be974e7d93
parent 4f9b07070a
4 changed files with 198 additions and 0 deletions
--- a/test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml
@ -0,0 +1,24 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: accept
+spec:
+  template: false
+  steps:
+  - name: create policy
+    try:
+    - create:
+        file: policy.yaml
+    - sleep:
+        duration: 10s
+  - name: create deployment
+    try:
+    - create:
+        file: deployment.yaml
+    - sleep:
+        duration: 10s
+  - name: check report
+    try:
+    - assert:
+        file: report.yaml
--- a/test/conformance/chainsaw/validating-policies/report-message-exp/deployment.yaml
+++ b/test/conformance/chainsaw/validating-policies/report-message-exp/deployment.yaml
@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bad-deployment
+  labels:
+    app: nginx
+    env: testing
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: no-env
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-deployment
+  labels:
+    app: nginx
+    env: prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+        env: prod
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
--- a/test/conformance/chainsaw/validating-policies/report-message-exp/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/report-message-exp/policy.yaml
@ -0,0 +1,26 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-deployment-labels
+  annotations:
+    policies.kyverno.io/title: Check Deployment Labels
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+spec:
+  validationActions: 
+   - Audit
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [apps]
+      apiVersions: [v1]
+      operations:  [CREATE, UPDATE]
+      resources:   [deployments]
+  variables:
+    - name: environment
+      expression: >-
+        has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'
+  validations:
+    - expression: >-
+        variables.environment == true
+      messageExpression: >-
+        'Deployment labels must be env=prod' + (has(object.metadata.labels) && 'env' in object.metadata.labels ? ' but found env=' + string(object.metadata.labels['env']) : ' but no env label is present')
--- a/test/conformance/chainsaw/validating-policies/report-message-exp/report.yaml
+++ b/test/conformance/chainsaw/validating-policies/report-message-exp/report.yaml
@ -0,0 +1,86 @@
+apiVersion: v1
+items:
+- apiVersion: wgpolicyk8s.io/v1alpha2
+  kind: PolicyReport
+  metadata:
+    generation: 1
+    labels:
+      app.kubernetes.io/managed-by: kyverno
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: no-env
+  results:
+  - category: Other
+    message: Deployment labels must be env=prod but no env label is present
+    policy: check-deployment-labels
+    result: fail
+    scored: true
+    severity: medium
+    source: KyvernoValidatingPolicy
+  scope:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: no-env
+  summary:
+    error: 0
+    fail: 1
+    pass: 0
+    skip: 0
+    warn: 0
+- apiVersion: wgpolicyk8s.io/v1alpha2
+  kind: PolicyReport
+  metadata:
+    generation: 1
+    labels:
+      app.kubernetes.io/managed-by: kyverno
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: good-deployment
+  results:
+  - category: Other
+    message: success
+    policy: check-deployment-labels
+    result: pass
+    scored: true
+    severity: medium
+    source: KyvernoValidatingPolicy
+  scope:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: good-deployment
+  summary:
+    error: 0
+    fail: 0
+    pass: 1
+    skip: 0
+    warn: 0
+- apiVersion: wgpolicyk8s.io/v1alpha2
+  kind: PolicyReport
+  metadata:
+    generation: 1
+    labels:
+      app.kubernetes.io/managed-by: kyverno
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: bad-deployment
+  results:
+  - category: Other
+    message: Deployment labels must be env=prod but found env=testing
+    policy: check-deployment-labels
+    result: fail
+    scored: true
+    severity: medium
+    source: KyvernoValidatingPolicy
+  scope:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: bad-deployment
+  summary:
+    error: 0
+    fail: 1
+    pass: 0
+    skip: 0
+    warn: 0