diff --git a/api/kyverno/v1/clusterpolicy_types.go b/api/kyverno/v1/clusterpolicy_types.go index 5fc98022a3..f7088bfd56 100644 --- a/api/kyverno/v1/clusterpolicy_types.go +++ b/api/kyverno/v1/clusterpolicy_types.go @@ -17,7 +17,6 @@ import ( // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno // +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" // +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index f52ab11e8c..33424cc1f6 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -454,11 +454,11 @@ func (m *ForEachMutation) SetPatchStrategicMerge(in apiextensions.JSON) { // Validation defines checks to be performed on matching resources. type Validation struct { // ValidationFailureAction defines if a validation policy rule violation should block - // the admission review request (enforce), or allow (audit) the admission review request + // the admission review request (Enforce), or allow (Audit) the admission review request // and report an error in a policy report. Optional. - // Allowed values are audit or enforce. + // Allowed values are Audit or Enforce. // +optional - // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce + // +kubebuilder:validation:Enum=Audit;Enforce ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index 473cbd5b05..30925a772c 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -40,6 +40,11 @@ var signatureAlgorithmMap = map[string]bool{ // are signed with the supplied public key. Once the image is verified it is // mutated to include the SHA digest retrieved during the registration. type ImageVerification struct { + // Allowed values are Audit or Enforce. + // +optional + // +kubebuilder:validation:Enum=Audit;Enforce + ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + // Type specifies the method of signature validation. The allowed options // are Cosign and Notary. By default Cosign is used if a type is not specified. // +kubebuilder:validation:Optional diff --git a/api/kyverno/v1/policy_types.go b/api/kyverno/v1/policy_types.go index 9b012f588b..29941d8ab1 100644 --- a/api/kyverno/v1/policy_types.go +++ b/api/kyverno/v1/policy_types.go @@ -15,7 +15,6 @@ import ( // +kubebuilder:subresource:status // +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" // +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index f34a848f01..70294eee49 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -171,6 +171,19 @@ func (s *Spec) HasValidate() bool { return false } +// HasValidateEnforce checks if the policy has any validate rules with enforce action +func (s *Spec) HasValidateEnforce() bool { + for _, rule := range s.Rules { + if rule.HasValidate() { + action := rule.Validation.ValidationFailureAction + if action != nil && action.Enforce() { + return true + } + } + } + return s.ValidationFailureAction.Enforce() +} + // HasGenerate checks for generate rule types func (s *Spec) HasGenerate() bool { for _, rule := range s.Rules { @@ -228,32 +241,6 @@ func (s *Spec) BackgroundProcessingEnabled() bool { return *s.Background } -// GetValidationFailureAction returns the value of the validationFailureAction -func (s *Spec) GetValidationFailureAction() ValidationFailureAction { - for _, rule := range s.Rules { - if rule.HasValidate() { - validationFailureAction := rule.Validation.ValidationFailureAction - if validationFailureAction != nil { - return *validationFailureAction - } - } - } - return s.ValidationFailureAction -} - -// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides -func (s *Spec) GetValidationFailureActionOverrides() []ValidationFailureActionOverride { - for _, rule := range s.Rules { - if rule.HasValidate() { - validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides - if len(validationFailureActionOverrides) != 0 { - return validationFailureActionOverrides - } - } - } - return s.ValidationFailureActionOverrides -} - // GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { for _, rule := range s.Rules { diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 32bcad92d4..11e30252b5 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -794,6 +794,11 @@ func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageVerification) DeepCopyInto(out *ImageVerification) { *out = *in + if in.ValidationFailureAction != nil { + in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + *out = new(ValidationFailureAction) + **out = **in + } if in.ImageReferences != nil { in, out := &in.ImageReferences, &out.ImageReferences *out = make([]string, len(*in)) diff --git a/api/kyverno/v2beta1/clusterpolicy_types.go b/api/kyverno/v2beta1/clusterpolicy_types.go index 2cfa7dee3e..89086a2f37 100644 --- a/api/kyverno/v2beta1/clusterpolicy_types.go +++ b/api/kyverno/v2beta1/clusterpolicy_types.go @@ -18,7 +18,6 @@ import ( // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno // +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" // +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 diff --git a/api/kyverno/v2beta1/common_types.go b/api/kyverno/v2beta1/common_types.go index d2848ee00b..bce28ac00e 100644 --- a/api/kyverno/v2beta1/common_types.go +++ b/api/kyverno/v2beta1/common_types.go @@ -12,11 +12,11 @@ type AssertionTree = kjson.Any // Validation defines checks to be performed on matching resources. type Validation struct { // ValidationFailureAction defines if a validation policy rule violation should block - // the admission review request (enforce), or allow (audit) the admission review request + // the admission review request (Enforce), or allow (Audit) the admission review request // and report an error in a policy report. Optional. - // Allowed values are audit or enforce. + // Allowed values are Audit or Enforce. // +optional - // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce + // +kubebuilder:validation:Enum=Audit;Enforce ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction diff --git a/api/kyverno/v2beta1/image_verification_types.go b/api/kyverno/v2beta1/image_verification_types.go index 5ec162086d..d6a270c5b0 100644 --- a/api/kyverno/v2beta1/image_verification_types.go +++ b/api/kyverno/v2beta1/image_verification_types.go @@ -9,6 +9,11 @@ import ( // are signed with the supplied public key. Once the image is verified it is // mutated to include the SHA digest retrieved during the registration. type ImageVerification struct { + // Allowed values are Audit or Enforce. + // +optional + // +kubebuilder:validation:Enum=Audit;Enforce + ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + // Type specifies the method of signature validation. The allowed options // are Cosign and Notary. By default Cosign is used if a type is not specified. // +kubebuilder:validation:Optional diff --git a/api/kyverno/v2beta1/policy_types.go b/api/kyverno/v2beta1/policy_types.go index a0acbabe37..0d3a62675d 100644 --- a/api/kyverno/v2beta1/policy_types.go +++ b/api/kyverno/v2beta1/policy_types.go @@ -16,7 +16,6 @@ import ( // +kubebuilder:subresource:status // +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" // +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index 2d1d7f883d..226a7bdbe5 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -135,6 +135,19 @@ func (s *Spec) HasValidate() bool { return false } +// HasValidateEnforce checks if the policy has any validate rules with enforce action +func (s *Spec) HasValidateEnforce() bool { + for _, rule := range s.Rules { + if rule.HasValidate() { + action := rule.Validation.ValidationFailureAction + if action != nil && action.Enforce() { + return true + } + } + } + return s.ValidationFailureAction.Enforce() +} + // HasGenerate checks for generate rule types func (s *Spec) HasGenerate() bool { for _, rule := range s.Rules { @@ -197,32 +210,6 @@ func (s *Spec) BackgroundProcessingEnabled() bool { return *s.Background } -// GetValidationFailureAction returns the value of the validationFailureAction -func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction { - for _, rule := range s.Rules { - if rule.HasValidate() { - validationFailureAction := rule.Validation.ValidationFailureAction - if validationFailureAction != nil { - return *validationFailureAction - } - } - } - return s.ValidationFailureAction -} - -// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides -func (s *Spec) GetValidationFailureActionOverrides() []kyvernov1.ValidationFailureActionOverride { - for _, rule := range s.Rules { - if rule.HasValidate() { - validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides - if len(validationFailureActionOverrides) != 0 { - return validationFailureActionOverrides - } - } - } - return s.ValidationFailureActionOverrides -} - // GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { for _, rule := range s.Rules { diff --git a/api/kyverno/v2beta1/zz_generated.deepcopy.go b/api/kyverno/v2beta1/zz_generated.deepcopy.go index d7bc15076b..d115186769 100755 --- a/api/kyverno/v2beta1/zz_generated.deepcopy.go +++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go @@ -368,6 +368,11 @@ func (in *Exception) DeepCopy() *Exception { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageVerification) DeepCopyInto(out *ImageVerification) { *out = *in + if in.ValidationFailureAction != nil { + in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + *out = new(v1.ValidationFailureAction) + **out = **in + } if in.ImageReferences != nil { in, out := &in.ImageReferences, &out.ImageReferences *out = make([]string, len(*in)) diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 0181fd73bf..6cc6fe94c0 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -31,9 +31,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3436,12 +3433,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4277,6 +4272,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7804,12 +7805,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8658,6 +8657,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8798,9 +8803,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11975,12 +11977,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12785,6 +12785,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16312,12 +16318,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17166,6 +17170,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 7590f581ef..244acd44e1 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -31,9 +31,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3437,12 +3434,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4278,6 +4273,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7806,12 +7807,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8660,6 +8659,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8800,9 +8805,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11978,12 +11980,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12788,6 +12788,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16315,12 +16321,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17169,6 +17173,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml index 3dc4968a6a..8dc690aa2f 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml @@ -26,7 +26,6 @@ metadata: name: require-ns-purpose-label namespace: test spec: - validationFailureAction: Enforce rules: - name: require-ns-purpose-label match: @@ -35,6 +34,7 @@ spec: kinds: - Namespace validate: + validationFailureAction: Enforce message: "You must have label 'purpose' with value 'production' set on all new namespaces." pattern: metadata: diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml index b225d5c0ff..2b9137d169 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml @@ -18,6 +18,7 @@ spec: - Pod name: pods-require-account validate: + validationFailureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -30,6 +31,7 @@ spec: - Pod name: pods-require-limits validate: + validationFailureAction: Audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: @@ -41,4 +43,3 @@ spec: requests: cpu: ?* memory: ?* - validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml index b225d5c0ff..2b9137d169 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml @@ -18,6 +18,7 @@ spec: - Pod name: pods-require-account validate: + validationFailureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -30,6 +31,7 @@ spec: - Pod name: pods-require-limits validate: + validationFailureAction: Audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: @@ -41,4 +43,3 @@ spec: requests: cpu: ?* memory: ?* - validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml index 5c5179f97f..34b5af5fd1 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml @@ -32,4 +32,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml index c51244e970..c6bc85b85f 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml @@ -56,4 +56,4 @@ spec: - CREATE message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml index b225d5c0ff..095c6af952 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml @@ -18,6 +18,7 @@ spec: - Pod name: pods-require-account validate: + validationFailureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -41,4 +42,4 @@ spec: requests: cpu: ?* memory: ?* - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml index 8ce91ef6a2..2f0347e5c5 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml @@ -8,7 +8,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) spec: background: false - validationFailureAction: audit rules: - name: pods-require-account match: @@ -19,6 +18,7 @@ spec: matchLabels: istio/rev: "default" validate: + validationFailureAction: audit message: User pods must include an account for charging pattern: metadata: @@ -30,6 +30,7 @@ spec: kinds: - Pod validate: + validationFailureAction: audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml index 6ebd08a81b..0398149107 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml @@ -19,6 +19,7 @@ spec: - Pod name: pods-require-account validate: + validationFailureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -31,6 +32,7 @@ spec: - Pod name: pods-require-limits validate: + validationFailureAction: Audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: @@ -42,4 +44,3 @@ spec: requests: cpu: ?* memory: ?* - validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml index 7cf97bb114..6007ec75a4 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml @@ -20,4 +20,4 @@ spec: podSecurity: level: restricted version: latest - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 34900db273..f47d882883 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -25,9 +25,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3430,12 +3427,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4271,6 +4266,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7798,12 +7799,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8652,6 +8651,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8792,9 +8797,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11969,12 +11971,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12779,6 +12779,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16306,12 +16312,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17160,6 +17164,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 7b3de058c5..1e7589b407 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -25,9 +25,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3431,12 +3428,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4272,6 +4267,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7800,12 +7801,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8654,6 +8653,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8794,9 +8799,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11972,12 +11974,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12782,6 +12782,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16309,12 +16315,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17163,6 +17167,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/cmd/cli/kubectl-kyverno/policy/load_test.go b/cmd/cli/kubectl-kyverno/policy/load_test.go index 1136980e21..87d36183e3 100644 --- a/cmd/cli/kubectl-kyverno/policy/load_test.go +++ b/cmd/cli/kubectl-kyverno/policy/load_test.go @@ -110,7 +110,7 @@ func TestLoadWithKubectlValidate(t *testing.T) { assert.NotNil(t, policy) spec := policy.GetSpec() assert.NotNil(t, spec) - assert.True(t, spec.GetValidationFailureAction().Audit()) + assert.True(t, spec.ValidationFailureAction.Audit()) assert.NotNil(t, spec.Background) assert.True(t, *spec.Background) assert.NotNil(t, spec.Admission) diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor.go b/cmd/cli/kubectl-kyverno/processor/policy_processor.go index 04aba7915c..081c95ec85 100644 --- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go +++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go @@ -205,7 +205,7 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse, } responses = append(responses, generateResponse) } - p.Rc.addGenerateResponse(p.AuditWarn, generateResponse) + p.Rc.addGenerateResponse(generateResponse) } } p.Rc.addEngineResponses(p.AuditWarn, responses...) diff --git a/cmd/cli/kubectl-kyverno/processor/result.go b/cmd/cli/kubectl-kyverno/processor/result.go index 63122883bf..32d2561bca 100644 --- a/cmd/cli/kubectl-kyverno/processor/result.go +++ b/cmd/cli/kubectl-kyverno/processor/result.go @@ -63,7 +63,7 @@ func (rc *ResultCounts) addEngineResponse(auditWarn bool, response engineapi.Eng } } -func (rc *ResultCounts) addGenerateResponse(auditWarn bool, response engineapi.EngineResponse) { +func (rc *ResultCounts) addGenerateResponse(response engineapi.EngineResponse) { genericPolicy := response.Policy() if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType { return @@ -75,11 +75,7 @@ func (rc *ResultCounts) addGenerateResponse(auditWarn bool, response engineapi.E if ruleResponse.Status() == engineapi.RuleStatusPass { rc.Pass++ } else { - if auditWarn && response.GetValidationFailureAction().Audit() { - rc.Warn++ - } else { - rc.Fail++ - } + rc.Fail++ } continue } diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index 34900db273..f47d882883 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -25,9 +25,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3430,12 +3427,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4271,6 +4266,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7798,12 +7799,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8652,6 +8651,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8792,9 +8797,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11969,12 +11971,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12779,6 +12779,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16306,12 +16312,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17160,6 +17164,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 7b3de058c5..1e7589b407 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -25,9 +25,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3431,12 +3428,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4272,6 +4267,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7800,12 +7801,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8654,6 +8653,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8794,9 +8799,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11972,12 +11974,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12782,6 +12782,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16309,12 +16315,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17163,6 +17167,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 99624fe34b..2825cb4fc6 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -5222,9 +5222,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -8627,12 +8624,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -9468,6 +9463,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -12995,12 +12996,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -13849,6 +13848,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -13989,9 +13994,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -17166,12 +17168,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17976,6 +17976,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -21503,12 +21509,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -22357,6 +22361,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -22778,9 +22788,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -26184,12 +26191,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -27025,6 +27030,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -30553,12 +30564,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -31407,6 +31416,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -31547,9 +31562,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -34725,12 +34737,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -35535,6 +35545,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -39062,12 +39078,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -39916,6 +39930,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 1e4d8dff9e..17ff508046 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -2389,6 +2389,20 @@ mutated to include the SHA digest retrieved during the registration.
validationFailureAction
Allowed values are Audit or Enforce.
+type
ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request +the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce.
+Allowed values are Audit or Enforce.string
alias)
(Appears on: +ImageVerification, Spec, Validation, ValidationFailureActionOverride, +ImageVerification, Spec, Validation)
@@ -8369,6 +8385,20 @@ mutated to include the SHA digest retrieved during the registration.validationFailureAction
Allowed values are Audit or Enforce.
+type
ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request +the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce.
+Allowed values are Audit or Enforce.validationFailureAction
+
+
+
+
+
+
+
+ ValidationFailureAction
+
+
+
+ Allowed values are Audit or Enforce.
+ + + + + +type
@@ -8965,9 +8994,9 @@ It is an empty string when validating admission policy is successfully generated
ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request +the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce.
+Allowed values are Audit or Enforce. @@ -9274,6 +9303,7 @@ by specifying exclusions for Pod Security Standards controls.(Appears in: + ImageVerification, Spec, Validation, ValidationFailureActionOverride) diff --git a/docs/user/crd/kyverno.v2beta1.html b/docs/user/crd/kyverno.v2beta1.html index 2d8036b796..5ac8ef3c35 100644 --- a/docs/user/crd/kyverno.v2beta1.html +++ b/docs/user/crd/kyverno.v2beta1.html @@ -2773,6 +2773,35 @@ mutated to include the SHA digest retrieved during the registration.
+validationFailureAction
+
+
+
+
+
+
+
+ ValidationFailureAction
+
+
+
+ Allowed values are Audit or Enforce.
+ + + + + +type
@@ -4536,9 +4565,9 @@ Defaults to "false" if not specified.
ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request +the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce.
+Allowed values are Audit or Enforce. diff --git a/pkg/autogen/autogen_test.go b/pkg/autogen/autogen_test.go index 31255ee625..1ce2b90f9f 100644 --- a/pkg/autogen/autogen_test.go +++ b/pkg/autogen/autogen_test.go @@ -242,7 +242,7 @@ func Test_GetSupportedControllers(t *testing.T) { }, { name: "rule-with-validate-podsecurity", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`), + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`), expectedControllers: PodControllers, }, } @@ -406,7 +406,6 @@ kind: ClusterPolicy metadata: name: check-image spec: - validationFailureAction: enforce background: false webhookTimeoutSeconds: 30 failurePolicy: Fail @@ -540,7 +539,7 @@ kA== } func Test_PodSecurityWithNoExceptions(t *testing.T) { - policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`) + policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`) policies, _, _, err := yamlutils.GetPolicy([]byte(policy)) assert.NilError(t, err) assert.Equal(t, 1, len(policies)) @@ -558,7 +557,6 @@ func Test_ValidateWithCELExpressions(t *testing.T) { "name": "disallow-host-path" }, "spec": { - "validationFailureAction": "Enforce", "background": false, "rules": [ { @@ -575,6 +573,7 @@ func Test_ValidateWithCELExpressions(t *testing.T) { ] }, "validate": { + "validationFailureAction": "Enforce", "cel": { "expressions": [ { diff --git a/pkg/autogen/rule.go b/pkg/autogen/rule.go index 12c358d32d..9cb03dfbba 100644 --- a/pkg/autogen/rule.go +++ b/pkg/autogen/rule.go @@ -129,7 +129,9 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds } if target := rule.Validation.GetPattern(); target != nil { newValidate := kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), + ValidationFailureAction: rule.Validation.ValidationFailureAction, + ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, } newValidate.SetPattern( map[string]interface{}{ @@ -143,8 +145,10 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds } if rule.Validation.Deny != nil { deny := kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"), - Deny: rule.Validation.Deny, + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"), + Deny: rule.Validation.Deny, + ValidationFailureAction: rule.Validation.ValidationFailureAction, + ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, } rule.Validation = deny return rule @@ -159,6 +163,8 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds Version: rule.Validation.PodSecurity.Version, Exclude: newExclude, }, + ValidationFailureAction: rule.Validation.ValidationFailureAction, + ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, } rule.Validation = podSecurity return rule @@ -177,8 +183,12 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds } patterns = append(patterns, newPattern) } + validationFailureAction := rule.Validation.ValidationFailureAction + validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides rule.Validation = kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"), + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"), + ValidationFailureAction: validationFailureAction, + ValidationFailureActionOverrides: validationFailureActionOverrides, } rule.Validation.SetAnyPattern(patterns) return rule @@ -186,9 +196,13 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds if len(rule.Validation.ForEachValidation) > 0 && rule.Validation.ForEachValidation != nil { newForeachValidate := make([]kyvernov1.ForEachValidation, len(rule.Validation.ForEachValidation)) copy(newForeachValidate, rule.Validation.ForEachValidation) + validationFailureAction := rule.Validation.ValidationFailureAction + validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides rule.Validation = kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), - ForEachValidation: newForeachValidate, + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), + ForEachValidation: newForeachValidate, + ValidationFailureAction: validationFailureAction, + ValidationFailureActionOverrides: validationFailureActionOverrides, } return rule } diff --git a/pkg/client/applyconfigurations/kyverno/v1/imageverification.go b/pkg/client/applyconfigurations/kyverno/v1/imageverification.go index b9e664c13b..b03d1002dc 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/imageverification.go +++ b/pkg/client/applyconfigurations/kyverno/v1/imageverification.go @@ -25,6 +25,7 @@ import ( // ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use // with apply. type ImageVerificationApplyConfiguration struct { + ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` Type *v1.ImageVerificationType `json:"type,omitempty"` Image *string `json:"image,omitempty"` ImageReferences []string `json:"imageReferences,omitempty"` @@ -52,6 +53,14 @@ func ImageVerification() *ImageVerificationApplyConfiguration { return &ImageVerificationApplyConfiguration{} } +// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ValidationFailureAction field is set to the value of the last call. +func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { + b.ValidationFailureAction = &value + return b +} + // WithType sets the Type field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Type field is set to the value of the last call. diff --git a/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go b/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go index cf92439553..4a51d6db70 100644 --- a/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go +++ b/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go @@ -26,6 +26,7 @@ import ( // ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use // with apply. type ImageVerificationApplyConfiguration struct { + ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` Type *v1.ImageVerificationType `json:"type,omitempty"` ImageReferences []string `json:"imageReferences,omitempty"` SkipImageReferences []string `json:"skipImageReferences,omitempty"` @@ -45,6 +46,14 @@ func ImageVerification() *ImageVerificationApplyConfiguration { return &ImageVerificationApplyConfiguration{} } +// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ValidationFailureAction field is set to the value of the last call. +func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { + b.ValidationFailureAction = &value + return b +} + // WithType sets the Type field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Type field is set to the value of the last call. diff --git a/pkg/controllers/metrics/policy/metrics.go b/pkg/controllers/metrics/policy/metrics.go index 38e0b89c7c..10e6db8683 100644 --- a/pkg/controllers/metrics/policy/metrics.go +++ b/pkg/controllers/metrics/policy/metrics.go @@ -27,7 +27,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(ctx context.Contex logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName()) } // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: - if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction().Enforce() != oldSpec.GetValidationFailureAction().Enforce() { + if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() { err = policyChangesMetric.RegisterPolicy(ctx, pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated) if err != nil { logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName()) diff --git a/pkg/controllers/webhook/utils_test.go b/pkg/controllers/webhook/utils_test.go index 91e3959115..ceeb0c5ab3 100644 --- a/pkg/controllers/webhook/utils_test.go +++ b/pkg/controllers/webhook/utils_test.go @@ -35,7 +35,6 @@ var policy = ` "name": "disallow-unsigned-images" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { diff --git a/pkg/engine/api/engineresponse.go b/pkg/engine/api/engineresponse.go index 7788c3709e..0c903c1aa9 100644 --- a/pkg/engine/api/engineresponse.go +++ b/pkg/engine/api/engineresponse.go @@ -199,7 +199,41 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur return "" } spec := pol.AsKyvernoPolicy().GetSpec() - for _, v := range spec.GetValidationFailureActionOverrides() { + for _, r := range spec.Rules { + if r.HasValidate() { + for _, v := range r.Validation.ValidationFailureActionOverrides { + if !v.Action.IsValid() { + continue + } + if v.Namespaces == nil { + hasPass, err := utils.CheckSelector(v.NamespaceSelector, er.namespaceLabels) + if err == nil && hasPass { + return v.Action + } + } + for _, ns := range v.Namespaces { + if wildcard.Match(ns, er.PatchedResource.GetNamespace()) { + if v.NamespaceSelector == nil { + return v.Action + } + hasPass, err := utils.CheckSelector(v.NamespaceSelector, er.namespaceLabels) + if err == nil && hasPass { + return v.Action + } + } + } + } + + if r.Validation.ValidationFailureAction != nil { + return *r.Validation.ValidationFailureAction + } + } else if r.HasVerifyImages() { + if r.VerifyImages[0].ValidationFailureAction != nil { + return *r.VerifyImages[0].ValidationFailureAction + } + } + } + for _, v := range spec.ValidationFailureActionOverrides { if !v.Action.IsValid() { continue } @@ -221,5 +255,5 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur } } } - return spec.GetValidationFailureAction() + return spec.ValidationFailureAction } diff --git a/pkg/engine/handlers/validation/validate_resource_test.go b/pkg/engine/handlers/validation/validate_resource_test.go index aa96c20669..8e057816f6 100644 --- a/pkg/engine/handlers/validation/validate_resource_test.go +++ b/pkg/engine/handlers/validation/validate_resource_test.go @@ -40,7 +40,6 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext { "name": "block-label-changes" }, "spec": { - "validationFailureAction": "Enforce", "background": false, "rules": [ { @@ -61,6 +60,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext { ] }, "validate": { + "validationFailureAction": "Enforce", "message": "The label size is required", "pattern": { "metadata": { @@ -88,6 +88,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext { ] }, "validate": { + "validationFailureAction": "Enforce", "message": "The label size cannot be changed for a namespace", "deny": { "conditions": { diff --git a/pkg/engine/mutate/patch/strategicMergePatch_test.go b/pkg/engine/mutate/patch/strategicMergePatch_test.go index c37080e1e1..e14228f99c 100644 --- a/pkg/engine/mutate/patch/strategicMergePatch_test.go +++ b/pkg/engine/mutate/patch/strategicMergePatch_test.go @@ -180,7 +180,6 @@ func Test_PolicyDeserilize(t *testing.T) { "name": "set-image-pull-policy" }, "spec": { - "validationFailureAction": "enforce", "rules": [ { "name": "set-image-pull-policy", diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go index 9a97b3cd98..6b4941ea33 100644 --- a/pkg/engine/mutation_test.go +++ b/pkg/engine/mutation_test.go @@ -655,7 +655,6 @@ func Test_foreach_element_mutation(t *testing.T) { "name": "mutate-privileged" }, "spec": { - "validationFailureAction": "audit", "background": false, "webhookTimeoutSeconds": 10, "failurePolicy": "Fail", diff --git a/pkg/engine/utils/utils_test.go b/pkg/engine/utils/utils_test.go index 58d9508569..98047363d3 100644 --- a/pkg/engine/utils/utils_test.go +++ b/pkg/engine/utils/utils_test.go @@ -837,7 +837,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "name": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: false, }, { @@ -846,7 +846,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: false, }, { @@ -864,7 +864,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "name": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: true, }, { @@ -873,7 +873,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "validationFailureAction": "enforce", "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -882,7 +882,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -891,7 +891,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "name": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } } ] } }`), areErrorsExpected: true, }, } @@ -1742,7 +1742,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: false, }, { @@ -1751,7 +1751,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: false, }, { @@ -1769,7 +1769,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: true, }, { @@ -1778,7 +1778,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "generateName": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "validationFailureAction": "enforce", "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -1787,7 +1787,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -1796,7 +1796,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } } ] } }`), areErrorsExpected: true, }, } diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index f0603cda81..a6bcd7b735 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -679,7 +679,6 @@ func TestValidate_foreach_zero_reported_asskip(t *testing.T) { } }, "spec": { - "validationFailureAction": "Enforce", "background": true, "rules": [ { @@ -690,6 +689,7 @@ func TestValidate_foreach_zero_reported_asskip(t *testing.T) { } }, "validate": { + "validationFailureAction": "Enforce", "foreach": [ { "list": "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds", @@ -1948,7 +1948,6 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing. "name": "cm-array-example" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { @@ -1961,6 +1960,7 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing. } }, "validate": { + "validationFailureAction": "enforce", "message": "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals.", "deny": { "conditions": [ @@ -2125,7 +2125,6 @@ func Test_BlockLabelRemove(t *testing.T) { "name": "prevent-label-remove" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { @@ -2152,6 +2151,7 @@ func Test_BlockLabelRemove(t *testing.T) { ] }, "validate": { + "validationFailureAction": "enforce", "message": "not allowed", "deny": { "conditions": { @@ -2248,7 +2248,6 @@ func TestValidate_context_variable_substitution_CLI(t *testing.T) { "name": "restrict-pod-count" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { @@ -2270,6 +2269,7 @@ func TestValidate_context_variable_substitution_CLI(t *testing.T) { } ], "validate": { + "validationFailureAction": "enforce", "message": "restrict pod counts to be no more than 10 on node minikube", "deny": { "conditions": [ @@ -2372,6 +2372,7 @@ func Test_EmptyStringInDenyCondition(t *testing.T) { } ], "validate": { + "validationFailureAction": "enforce", "deny": { "conditions": [ { @@ -2383,8 +2384,7 @@ func Test_EmptyStringInDenyCondition(t *testing.T) { } } } - ], - "validationFailureAction": "enforce" + ] } }`) @@ -2457,6 +2457,7 @@ func Test_StringInDenyCondition(t *testing.T) { } ], "validate": { + "validationFailureAction": "enforce", "deny": { "conditions": [ { @@ -2468,8 +2469,7 @@ func Test_StringInDenyCondition(t *testing.T) { } } } - ], - "validationFailureAction": "enforce" + ] } }`) @@ -3000,13 +3000,13 @@ func Test_outof_foreach_element_validation(t *testing.T) { "kind": "ClusterPolicy", "metadata": {"name": "check-container-names"}, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { "name": "test", "match": {"resources": { "kinds": [ "Pod" ] } }, "validate": { + "validationFailureAction": "enforce", "message": "Invalid name", "pattern": { "name": "{{ element.name }}" @@ -3033,7 +3033,6 @@ func Test_foreach_skip_initContainer_pass(t *testing.T) { "name": "check-images" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { @@ -3046,6 +3045,7 @@ func Test_foreach_skip_initContainer_pass(t *testing.T) { } }, "validate": { + "validationFailureAction": "enforce", "message": "unknown registry", "foreach": [ { @@ -3210,13 +3210,13 @@ func Test_delete_ignore_pattern(t *testing.T) { "kind": "ClusterPolicy", "metadata": {"name": "check-container-labels"}, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { "name": "test", "match": {"resources": { "kinds": [ "Pod" ] } }, "validate": { + "validationFailureAction": "enforce", "message": "Invalid label", "pattern": { "metadata" : { diff --git a/pkg/metrics/parsers.go b/pkg/metrics/parsers.go index ef65e31ac8..ddc59c3405 100644 --- a/pkg/metrics/parsers.go +++ b/pkg/metrics/parsers.go @@ -77,6 +77,12 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp policyType = Namespaced } backgroundMode := ParsePolicyBackgroundMode(policy) - validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction()) - return name, namespace, policyType, backgroundMode, validationMode, err + isEnforce := policy.GetSpec().HasValidateEnforce() + var validationMode PolicyValidationMode + if isEnforce { + validationMode = Enforce + } else { + validationMode = Audit + } + return name, namespace, policyType, backgroundMode, validationMode, nil } diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go index 2f2aab1c2b..bbe1e6de13 100644 --- a/pkg/policycache/cache.go +++ b/pkg/policycache/cache.go @@ -3,6 +3,7 @@ package policycache import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/ext/wildcard" + "github.com/kyverno/kyverno/pkg/autogen" "github.com/kyverno/kyverno/pkg/clients/dclient" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -62,31 +63,56 @@ func (c *cache) GetPolicies(pkey PolicyType, gvr schema.GroupVersionResource, su func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace string) []kyvernov1.PolicyInterface { var policies []kyvernov1.PolicyInterface for _, policy := range result { + var filteredPolicy kyvernov1.PolicyInterface keepPolicy := true switch pkey { case ValidateAudit: - keepPolicy = checkValidationFailureActionOverrides(false, nspace, policy) + keepPolicy, filteredPolicy = checkValidationFailureActionOverrides(false, nspace, policy) case ValidateEnforce: - keepPolicy = checkValidationFailureActionOverrides(true, nspace, policy) + keepPolicy, filteredPolicy = checkValidationFailureActionOverrides(true, nspace, policy) } // add policy to result if keepPolicy { - policies = append(policies, policy) + policies = append(policies, filteredPolicy) } } return policies } -func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool { - validationFailureAction := policy.GetSpec().GetValidationFailureAction() - validationFailureActionOverrides := policy.GetSpec().GetValidationFailureActionOverrides() - if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) { - return false - } - for _, action := range validationFailureActionOverrides { - if action.Action.Enforce() != enforce && wildcard.CheckPatterns(action.Namespaces, ns) { - return false +func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) (bool, kyvernov1.PolicyInterface) { + var filteredRules []kyvernov1.Rule + for _, rule := range autogen.ComputeRules(policy, "") { + if !rule.HasValidate() { + continue + } + + // if the field isn't set, use the higher level policy setting + validationFailureAction := rule.Validation.ValidationFailureAction + if validationFailureAction == nil { + validationFailureAction = &policy.GetSpec().ValidationFailureAction + } + + validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides + if len(validationFailureActionOverrides) == 0 { + validationFailureActionOverrides = policy.GetSpec().ValidationFailureActionOverrides + } + + if (ns == "" || len(validationFailureActionOverrides) == 0) && validationFailureAction.Enforce() == enforce { + filteredRules = append(filteredRules, rule) + continue + } + for _, action := range validationFailureActionOverrides { + if action.Action.Enforce() == enforce && wildcard.CheckPatterns(action.Namespaces, ns) { + filteredRules = append(filteredRules, rule) + continue + } } } - return true + if len(filteredRules) > 0 { + filteredPolicy := policy.CreateDeepCopy() + filteredPolicy.GetSpec().Rules = filteredRules + return true, filteredPolicy + } + + return false, nil } diff --git a/pkg/policycache/store.go b/pkg/policycache/store.go index 9f67f4c14b..761857662e 100644 --- a/pkg/policycache/store.go +++ b/pkg/policycache/store.go @@ -80,10 +80,10 @@ func newPolicyMap() *policyMap { } func computeEnforcePolicy(spec *kyvernov1.Spec) bool { - if spec.GetValidationFailureAction().Enforce() { + if spec.ValidationFailureAction.Enforce() { return true } - for _, k := range spec.GetValidationFailureActionOverrides() { + for _, k := range spec.ValidationFailureActionOverrides { if k.Action.Enforce() { return true } @@ -108,6 +108,17 @@ func (m *policyMap) set(key string, policy kyvernov1.PolicyInterface, client Res } kindStates := map[policyKey]state{} for _, rule := range autogen.ComputeRules(policy, "") { + if rule.HasValidate() { + action := rule.Validation.ValidationFailureAction + if action != nil && action.Enforce() { + enforcePolicy = true + } + for _, k := range rule.Validation.ValidationFailureActionOverrides { + if k.Action.Enforce() { + enforcePolicy = true + } + } + } entries := sets.New[policyKey]() for _, gvk := range rule.MatchResources.GetKinds() { group, version, kind, subresource := kubeutils.ParseKindSelector(gvk) diff --git a/pkg/validatingadmissionpolicy/builder.go b/pkg/validatingadmissionpolicy/builder.go index 0db222233f..649a541197 100644 --- a/pkg/validatingadmissionpolicy/builder.go +++ b/pkg/validatingadmissionpolicy/builder.go @@ -105,12 +105,22 @@ func BuildValidatingAdmissionPolicyBinding( // set validation action for vap binding var validationActions []admissionregistrationv1alpha1.ValidationAction - action := cpol.GetSpec().GetValidationFailureAction() - if action.Enforce() { - validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) - } else if action.Audit() { - validationActions = append(validationActions, admissionregistrationv1alpha1.Audit) - validationActions = append(validationActions, admissionregistrationv1alpha1.Warn) + validateAction := cpol.GetSpec().Rules[0].Validation.ValidationFailureAction + if validateAction != nil { + if validateAction.Enforce() { + validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) + } else if validateAction.Audit() { + validationActions = append(validationActions, admissionregistrationv1alpha1.Audit) + validationActions = append(validationActions, admissionregistrationv1alpha1.Warn) + } + } else { + validateAction := cpol.GetSpec().ValidationFailureAction + if validateAction.Enforce() { + validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) + } else if validateAction.Audit() { + validationActions = append(validationActions, admissionregistrationv1alpha1.Audit) + validationActions = append(validationActions, admissionregistrationv1alpha1.Warn) + } } // set validating admission policy binding spec diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go index cbaa38eb3b..9a295175d5 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go @@ -17,14 +17,11 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) { return false, msg } - validationFailureActionOverrides := spec.GetValidationFailureActionOverrides() - if len(validationFailureActionOverrides) > 1 { - msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable." + if ok, msg := checkValidationFailureActionOverrides(spec.ValidationFailureActionOverrides); !ok { return false, msg } - if len(validationFailureActionOverrides) != 0 && len(validationFailureActionOverrides[0].Namespaces) != 0 { - msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable." + if ok, msg := checkValidationFailureActionOverrides(rule.Validation.ValidationFailureActionOverrides); !ok { return false, msg } @@ -164,3 +161,17 @@ func checkResourceFilter(resFilters kyvernov1.ResourceFilters, isMatch bool) (bo return true, msg } + +func checkValidationFailureActionOverrides(validationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride) (bool, string) { + var msg string + if len(validationFailureActionOverrides) > 1 { + msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable." + return false, msg + } + + if len(validationFailureActionOverrides) != 0 && len(validationFailureActionOverrides[0].Namespaces) != 0 { + msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable." + return false, msg + } + return true, msg +} diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index c8840c0fe4..c2e58ea1a9 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -114,12 +114,12 @@ func validateJSONPatch(patch string, ruleIdx int) error { return nil } -func checkValidationFailureAction(spec *kyvernov1.Spec) []string { +func checkValidationFailureAction(validationFailureAction kyvernov1.ValidationFailureAction, validationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride) []string { msg := "Validation failure actions enforce/audit are deprecated, use Enforce/Audit instead." - if spec.GetValidationFailureAction() == "enforce" || spec.GetValidationFailureAction() == "audit" { + if validationFailureAction == "enforce" || validationFailureAction == "audit" { return []string{msg} } - for _, override := range spec.GetValidationFailureActionOverrides() { + for _, override := range validationFailureActionOverrides { if override.Action == "enforce" || override.Action == "audit" { return []string{msg} } @@ -138,7 +138,14 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf return warnings, fmt.Errorf("custom webhook configurations are only supported in kubernetes version 1.27.0 and above") } - warnings = append(warnings, checkValidationFailureAction(spec)...) + warnings = append(warnings, checkValidationFailureAction(spec.ValidationFailureAction, spec.ValidationFailureActionOverrides)...) + for _, rule := range spec.Rules { + if rule.HasValidate() { + if rule.Validation.ValidationFailureAction != nil { + warnings = append(warnings, checkValidationFailureAction(*rule.Validation.ValidationFailureAction, rule.Validation.ValidationFailureActionOverrides)...) + } + } + } var errs field.ErrorList specPath := field.NewPath("spec") @@ -206,7 +213,15 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf } if !policy.IsNamespaced() { - err := validateNamespaces(spec, specPath.Child("validationFailureActionOverrides")) + for i, r := range spec.Rules { + if r.HasValidate() { + err := validateNamespaces(r.Validation.ValidationFailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides")) + if err != nil { + return warnings, err + } + } + } + err := validateNamespaces(spec.ValidationFailureActionOverrides, specPath.Child("validationFailureActionOverrides")) if err != nil { return warnings, err } @@ -326,12 +341,20 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf if rule.HasVerifyImages() { isAuditFailureAction := false - if spec.GetValidationFailureAction() == kyvernov1.Audit { + if spec.ValidationFailureAction.Audit() { isAuditFailureAction = true } verifyImagePath := rulePath.Child("verifyImages") for index, i := range rule.VerifyImages { + action := i.ValidationFailureAction + if action != nil { + if action.Audit() { + isAuditFailureAction = true + } else { + isAuditFailureAction = false + } + } errs = append(errs, i.Validate(isAuditFailureAction, verifyImagePath.Index(index))...) } if len(errs) != 0 { @@ -1538,7 +1561,7 @@ func validateWildcardsWithNamespaces(enforce, audit, enforceW, auditW []string) return nil } -func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error { +func validateNamespaces(validationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride, path *field.Path) error { action := map[string]sets.Set[string]{ "enforce": sets.New[string](), "audit": sets.New[string](), @@ -1546,7 +1569,7 @@ func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error { "auditW": sets.New[string](), } - for i, vfa := range s.GetValidationFailureActionOverrides() { + for i, vfa := range validationFailureActionOverrides { if !vfa.Action.IsValid() { return fmt.Errorf("invalid action") } diff --git a/pkg/webhooks/resource/handlers.go b/pkg/webhooks/resource/handlers.go index 34c3b8a670..b41612f6f0 100644 --- a/pkg/webhooks/resource/handlers.go +++ b/pkg/webhooks/resource/handlers.go @@ -141,28 +141,40 @@ func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, req var ok bool var msg string var warnings []string + var enforceResponses []engineapi.EngineResponse wg.Add(1) go func() { defer wg.Done() - ok, msg, warnings = vh.HandleValidationEnforce(ctx, request, policies, startTime) + ok, msg, warnings, enforceResponses = vh.HandleValidationEnforce(ctx, request, policies, startTime) }() - go h.auditPool.Submit(func() { - vh.HandleValidationAudit(ctx, request) - }) if !admissionutils.IsDryRun(request.AdmissionRequest) { h.handleBackgroundApplies(ctx, logger, request, generatePolicies, mutatePolicies, startTime, nil) } - if len(policies) == 0 { - return admissionutils.ResponseSuccess(request.UID) - } wg.Wait() if !ok { logger.Info("admission request denied") + events := webhookutils.GenerateEvents(enforceResponses, true) + h.eventGen.Add(events...) return admissionutils.Response(request.UID, errors.New(msg), warnings...) } + go h.auditPool.Submit(func() { + auditResponses := vh.HandleValidationAudit(ctx, request) + var events []event.Info + switch { + case len(auditResponses) == 0: + events = webhookutils.GenerateEvents(enforceResponses, false) + case len(enforceResponses) == 0: + events = webhookutils.GenerateEvents(auditResponses, false) + default: + responses := mergeEngineResponses(auditResponses, enforceResponses) + events = webhookutils.GenerateEvents(responses, false) + } + + h.eventGen.Add(events...) + }) return admissionutils.ResponseSuccess(request.UID, warnings...) } @@ -310,3 +322,34 @@ func filterPolicies(ctx context.Context, failurePolicy string, policies ...kyver } return results } + +func mergeEngineResponses(auditResponses, enforceResponses []engineapi.EngineResponse) []engineapi.EngineResponse { + responseMap := make(map[string]engineapi.EngineResponse) + var responses []engineapi.EngineResponse + + for _, enforceResponse := range enforceResponses { + responseMap[enforceResponse.Policy().GetName()] = enforceResponse + } + + for _, auditResponse := range auditResponses { + policyName := auditResponse.Policy().GetName() + if enforceResponse, exists := responseMap[policyName]; exists { + response := auditResponse + for _, ruleResponse := range enforceResponse.PolicyResponse.Rules { + response.PolicyResponse.Add(ruleResponse.Stats(), ruleResponse) + } + responses = append(responses, response) + delete(responseMap, policyName) + } else { + responses = append(responses, auditResponse) + } + } + + if len(responseMap) != 0 { + for _, enforceResponse := range responseMap { + responses = append(responses, enforceResponse) + } + } + + return responses +} diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go index 0876577b56..ffec49f538 100644 --- a/pkg/webhooks/resource/validation/validation.go +++ b/pkg/webhooks/resource/validation/validation.go @@ -31,8 +31,8 @@ type ValidationHandler interface { // HandleValidation handles validating webhook admission request // If there are no errors in validating rule we apply generation rules // patchedResource is the (resource + patches) after applying mutation rules - HandleValidationEnforce(context.Context, handlers.AdmissionRequest, []kyvernov1.PolicyInterface, time.Time) (bool, string, []string) - HandleValidationAudit(context.Context, handlers.AdmissionRequest) + HandleValidationEnforce(context.Context, handlers.AdmissionRequest, []kyvernov1.PolicyInterface, time.Time) (bool, string, []string, []engineapi.EngineResponse) + HandleValidationAudit(context.Context, handlers.AdmissionRequest) []engineapi.EngineResponse } func NewValidationHandler( @@ -82,18 +82,18 @@ func (v *validationHandler) HandleValidationEnforce( request handlers.AdmissionRequest, policies []kyvernov1.PolicyInterface, admissionRequestTimestamp time.Time, -) (bool, string, []string) { +) (bool, string, []string, []engineapi.EngineResponse) { resourceName := admissionutils.GetResourceName(request.AdmissionRequest) logger := v.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind) if len(policies) == 0 { - return true, "", nil + return true, "", nil, nil } policyContext, err := v.buildPolicyContextFromAdmissionRequest(logger, request) if err != nil { msg := fmt.Sprintf("failed to create policy context: %v", err) - return false, msg, nil + return false, msg, nil, nil } var engineResponses []engineapi.EngineResponse @@ -118,7 +118,7 @@ func (v *validationHandler) HandleValidationEnforce( engineResponses = append(engineResponses, engineResponse) if !engineResponse.IsSuccessful() { - logger.V(2).Info("validation failed", "action", policy.GetSpec().GetValidationFailureAction(), "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules()) + logger.V(2).Info("validation failed", "action", "Enforce", "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules()) return } @@ -130,12 +130,10 @@ func (v *validationHandler) HandleValidationEnforce( } blocked := webhookutils.BlockRequest(engineResponses, failurePolicy, logger) - events := webhookutils.GenerateEvents(engineResponses, blocked) - v.eventGen.Add(events...) if blocked { logger.V(4).Info("admission request blocked") - return false, webhookutils.GetBlockedMessages(engineResponses), nil + return false, webhookutils.GetBlockedMessages(engineResponses), nil, engineResponses } go func() { @@ -147,37 +145,36 @@ func (v *validationHandler) HandleValidationEnforce( }() warnings := webhookutils.GetWarningMessages(engineResponses) - return true, "", warnings + return true, "", warnings, engineResponses } func (v *validationHandler) HandleValidationAudit( ctx context.Context, request handlers.AdmissionRequest, -) { +) []engineapi.EngineResponse { gvr := schema.GroupVersionResource(request.Resource) policies := v.pCache.GetPolicies(policycache.ValidateAudit, gvr, request.SubResource, request.Namespace) if len(policies) == 0 { - return + return nil } policyContext, err := v.buildPolicyContextFromAdmissionRequest(v.log, request) if err != nil { v.log.Error(err, "failed to build policy context") - return + return nil } + var responses []engineapi.EngineResponse needsReport := needsReports(request, policyContext.NewResource(), v.admissionReports) tracing.Span( context.Background(), "", fmt.Sprintf("AUDIT %s %s", request.Operation, request.Kind), func(ctx context.Context, span trace.Span) { - responses, err := v.buildAuditResponses(ctx, policyContext, policies) + responses, err = v.buildAuditResponses(ctx, policyContext, policies) if err != nil { v.log.Error(err, "failed to build audit responses") } - events := webhookutils.GenerateEvents(responses, false) - v.eventGen.Add(events...) if needsReport { if err := v.createReports(ctx, policyContext.NewResource(), request, responses...); err != nil { v.log.Error(err, "failed to create report") @@ -186,6 +183,7 @@ func (v *validationHandler) HandleValidationAudit( }, trace.WithLinks(trace.LinkFromContext(ctx)), ) + return responses } func (v *validationHandler) buildAuditResponses( diff --git a/test/cli/apply/policies-set/policy.yaml b/test/cli/apply/policies-set/policy.yaml index 4ae9bdacb4..540c3ee5b3 100644 --- a/test/cli/apply/policies-set/policy.yaml +++ b/test/cli/apply/policies-set/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: enforce-label spec: - validationFailureAction: Audit background: false rules: - name: enforce-label @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: "The foo label must be set." pattern: metadata: diff --git a/test/cli/apply/policies/policy.yaml b/test/cli/apply/policies/policy.yaml index 19f0e79edf..b463427a85 100644 --- a/test/cli/apply/policies/policy.yaml +++ b/test/cli/apply/policies/policy.yaml @@ -19,12 +19,12 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -48,6 +48,7 @@ spec: operator: NotEquals value: DELETE validate: + validationFailureAction: Audit foreach: - deny: conditions: @@ -57,4 +58,3 @@ spec: value: '{{ element.securityContext.capabilities.drop || '''' }}' list: request.object.spec.[ephemeralContainers, initContainers, containers][] message: Containers must drop `ALL` capabilities. - validationFailureAction: Audit diff --git a/test/cli/registry/image-example.yaml b/test/cli/registry/image-example.yaml index a8b31d924a..f4c0945c10 100644 --- a/test/cli/registry/image-example.yaml +++ b/test/cli/registry/image-example.yaml @@ -19,6 +19,7 @@ spec: operator: NotEquals value: DELETE validate: + validationFailureAction: Enforce foreach: - context: - imageRegistry: @@ -35,7 +36,6 @@ spec: value: ghcr.io list: request.object.spec.containers message: images with root user are not allowed - validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -57,6 +57,7 @@ spec: operator: NotEquals value: DELETE validate: + validationFailureAction: Enforce foreach: - context: - imageRegistry: @@ -76,4 +77,3 @@ spec: list: request.object.spec.containers message: Images must specify a source/base image from which they are built to be valid. - validationFailureAction: Enforce diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml index 316ef02466..3d77f9a5bb 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml @@ -14,10 +14,10 @@ spec: - Pod name: validate-default-proc-mount validate: + validationFailureAction: Audit message: Default proc mount should set to Unmasked pattern: spec: containers: - securityContext: procMount: Unmasked - validationFailureAction: Audit diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml index fd72d55863..485622f617 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml @@ -14,6 +14,7 @@ spec: - Pod name: validate-selinux-options validate: + validationFailureAction: Audit message: SELinux level is required pattern: spec: @@ -21,4 +22,3 @@ spec: - securityContext: seLinuxOptions: level: ?* - validationFailureAction: Audit diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml index d005b24178..79f7a08fb0 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml @@ -14,6 +14,7 @@ spec: - Pod name: validate-volumes-whitelist validate: + validationFailureAction: Audit anyPattern: - spec: volumes: @@ -25,4 +26,3 @@ spec: volumes: - configMap: '*' message: Volume type is not of type hostPath, emptyDir, or configMap. - validationFailureAction: Audit diff --git a/test/cli/test-exceptions/exceptions-1/policy.yaml b/test/cli/test-exceptions/exceptions-1/policy.yaml index c4ee436ac1..e205e46575 100644 --- a/test/cli/test-exceptions/exceptions-1/policy.yaml +++ b/test/cli/test-exceptions/exceptions-1/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-namespaces spec: - validationFailureAction: Enforce background: false rules: - name: host-namespaces @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. diff --git a/test/cli/test-exceptions/exceptions-2/policy.yaml b/test/cli/test-exceptions/exceptions-2/policy.yaml index 2e66ed1429..e80f7806ce 100644 --- a/test/cli/test-exceptions/exceptions-2/policy.yaml +++ b/test/cli/test-exceptions/exceptions-2/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: max-containers spec: - validationFailureAction: Enforce background: false rules: - name: max-two-containers @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: "A maximum of 2 containers are allowed inside a Pod." deny: conditions: diff --git a/test/cli/test-exceptions/exceptions-3/policy.yaml b/test/cli/test-exceptions/exceptions-3/policy.yaml index 863539b590..17ddd65449 100644 --- a/test/cli/test-exceptions/exceptions-3/policy.yaml +++ b/test/cli/test-exceptions/exceptions-3/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/cli/test-exceptions/exceptions-deprecated/exception.yaml b/test/cli/test-exceptions/exceptions-deprecated/exception.yaml new file mode 100644 index 0000000000..93dd81a83c --- /dev/null +++ b/test/cli/test-exceptions/exceptions-deprecated/exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: delta-exception + namespace: delta +spec: + exceptions: + - policyName: disallow-host-namespaces + ruleNames: + - host-namespaces + - autogen-host-namespaces + match: + any: + - resources: + kinds: + - Pod + - Deployment + namespaces: + - delta + names: + - important-tool* diff --git a/test/cli/test-exceptions/exceptions-deprecated/kyverno-test.yaml b/test/cli/test-exceptions/exceptions-deprecated/kyverno-test.yaml new file mode 100644 index 0000000000..a27939d26d --- /dev/null +++ b/test/cli/test-exceptions/exceptions-deprecated/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +exceptions: +- exception.yaml +kind: Test +metadata: + name: kyverno-test +policies: +- policy.yaml +resources: +- resources.yaml +results: +- kind: Deployment + policy: disallow-host-namespaces + resources: + - bad-deployment + result: fail + rule: autogen-host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - good-deployment + result: pass + rule: autogen-host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - important-tool + result: skip + rule: autogen-host-namespaces diff --git a/test/cli/test-exceptions/exceptions-deprecated/policy.yaml b/test/cli/test-exceptions/exceptions-deprecated/policy.yaml new file mode 100644 index 0000000000..bb51da0229 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-deprecated/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces +spec: + background: false + validationFailureAction: Enforce + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Sharing the host namespaces is disallowed. The fields spec.hostNetwork, + spec.hostIPC, and spec.hostPID must be unset or set to `false`. + pattern: + spec: + =(hostPID): "false" + =(hostIPC): "false" + =(hostNetwork): "false" diff --git a/test/cli/test-exceptions/exceptions-deprecated/resources.yaml b/test/cli/test-exceptions/exceptions-deprecated/resources.yaml new file mode 100644 index 0000000000..d416eb55ef --- /dev/null +++ b/test/cli/test-exceptions/exceptions-deprecated/resources.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: important-tool + namespace: delta + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + hostIPC: true + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep", "1d"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + hostIPC: true + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep", "1d"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + hostIPC: false + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep", "1d"] diff --git a/test/cli/test-fail/invalid-ns-deprecated/kyverno-test.yaml b/test/cli/test-fail/invalid-ns-deprecated/kyverno-test.yaml new file mode 100644 index 0000000000..c1dc942597 --- /dev/null +++ b/test/cli/test-fail/invalid-ns-deprecated/kyverno-test.yaml @@ -0,0 +1,15 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- resources.yaml +results: +- kind: Namespace + policy: restrict-labels + resources: + - kyverno-system-tst + result: fail + rule: restrict-labels diff --git a/test/cli/test-fail/invalid-ns-deprecated/policy.yaml b/test/cli/test-fail/invalid-ns-deprecated/policy.yaml new file mode 100644 index 0000000000..5fa1223a34 --- /dev/null +++ b/test/cli/test-fail/invalid-ns-deprecated/policy.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Labels + policies.kyverno.io/description: This policy prevents the use of an label beginning + with a common key name (in this case "platform.das-schiff.telekom.de/owner | + owner"). This can be useful to ensure users either don't set reserved labels + or to force them to use a newer version of an label. + policies.kyverno.io/minversion: 1.3.0 + policies.kyverno.io/title: Restrict Labels on Namespaces + labels: + policy.schiff.telekom.de: enforced + name: restrict-labels +spec: + admission: true + background: false + validationFailureAction: Enforce + rules: + - exclude: + any: + - clusterRoles: + - cluster-admin + resources: {} + match: + any: + - resources: + kinds: + - Namespace + name: restrict-labels + validate: + message: Every namespace has to have `platform.das-schiff.telekom.de/owner` + label. It must not have value `das-schiff` which is reserved for system namespaces + pattern: + metadata: + labels: + =(schiff.telekom.de/owner): '!schiff' + platform.das-schiff.telekom.de/owner: '!das-schiff' diff --git a/test/cli/test-fail/invalid-ns-deprecated/resources.yaml b/test/cli/test-fail/invalid-ns-deprecated/resources.yaml new file mode 100644 index 0000000000..c51350cc7a --- /dev/null +++ b/test/cli/test-fail/invalid-ns-deprecated/resources.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno-system-tst + labels: + name: kyverno-system-tst + schiff.telekom.de/owner: schiff + platform.das-schiff.telekom.de/owner: das-schiff \ No newline at end of file diff --git a/test/cli/test-fail/invalid-ns/policy.yaml b/test/cli/test-fail/invalid-ns/policy.yaml index 054dfbb785..f7c36cc57c 100644 --- a/test/cli/test-fail/invalid-ns/policy.yaml +++ b/test/cli/test-fail/invalid-ns/policy.yaml @@ -36,4 +36,4 @@ spec: labels: =(schiff.telekom.de/owner): '!schiff' platform.das-schiff.telekom.de/owner: '!das-schiff' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test-fail/missing-policy/policy.yaml b/test/cli/test-fail/missing-policy/policy.yaml index 0402a21916..1d23fdcbc1 100644 --- a/test/cli/test-fail/missing-policy/policy.yaml +++ b/test/cli/test-fail/missing-policy/policy.yaml @@ -21,6 +21,7 @@ spec: - test name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -40,4 +41,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test-fail/missing-resource/policy.yaml b/test/cli/test-fail/missing-resource/policy.yaml index 0402a21916..1d23fdcbc1 100644 --- a/test/cli/test-fail/missing-resource/policy.yaml +++ b/test/cli/test-fail/missing-resource/policy.yaml @@ -21,6 +21,7 @@ spec: - test name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -40,4 +41,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test-fail/missing-rule/policy.yaml b/test/cli/test-fail/missing-rule/policy.yaml index 0402a21916..1d23fdcbc1 100644 --- a/test/cli/test-fail/missing-rule/policy.yaml +++ b/test/cli/test-fail/missing-rule/policy.yaml @@ -21,6 +21,7 @@ spec: - test name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -40,4 +41,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test-generate/add-network-policy/policy.yaml b/test/cli/test-generate/add-network-policy/policy.yaml index 2591e87b6c..45b95c64d8 100644 --- a/test/cli/test-generate/add-network-policy/policy.yaml +++ b/test/cli/test-generate/add-network-policy/policy.yaml @@ -38,4 +38,3 @@ spec: kinds: - Namespace name: default-deny - validationFailureAction: Audit diff --git a/test/cli/test-generate/add-quota/policy.yaml b/test/cli/test-generate/add-quota/policy.yaml index 7d31290c19..a3bb58045f 100644 --- a/test/cli/test-generate/add-quota/policy.yaml +++ b/test/cli/test-generate/add-quota/policy.yaml @@ -57,4 +57,3 @@ spec: kinds: - Namespace name: generate-limitrange - validationFailureAction: Audit diff --git a/test/cli/test-generate/clone-list/policy.yaml b/test/cli/test-generate/clone-list/policy.yaml index d2c5a02762..70e962c6fe 100644 --- a/test/cli/test-generate/clone-list/policy.yaml +++ b/test/cli/test-generate/clone-list/policy.yaml @@ -34,4 +34,3 @@ spec: kinds: - Namespace name: clone-list-labelled-secrets - validationFailureAction: Audit diff --git a/test/cli/test-generate/sync-secrets/policy.yaml b/test/cli/test-generate/sync-secrets/policy.yaml index 6b86f808a9..5ea6b2245f 100644 --- a/test/cli/test-generate/sync-secrets/policy.yaml +++ b/test/cli/test-generate/sync-secrets/policy.yaml @@ -32,4 +32,3 @@ spec: kinds: - Namespace name: sync-image-pull-secret - validationFailureAction: Audit diff --git a/test/cli/test-mutate/bug-demo/policy.yaml b/test/cli/test-mutate/bug-demo/policy.yaml index 91c93ec64e..852af73439 100644 --- a/test/cli/test-mutate/bug-demo/policy.yaml +++ b/test/cli/test-mutate/bug-demo/policy.yaml @@ -80,4 +80,3 @@ spec: to_string(@) }} name: mutate1 - validationFailureAction: Enforce diff --git a/test/cli/test-mutate/connection-draining/policy.yaml b/test/cli/test-mutate/connection-draining/policy.yaml index 6a1404bdf6..046248e96c 100644 --- a/test/cli/test-mutate/connection-draining/policy.yaml +++ b/test/cli/test-mutate/connection-draining/policy.yaml @@ -77,4 +77,3 @@ spec: - key: '{{ tg_attributes }}' operator: Equals value: "false" - validationFailureAction: Audit diff --git a/test/cli/test-mutate/foreach/addIfNotPresent/policies.yaml b/test/cli/test-mutate/foreach/addIfNotPresent/policies.yaml index 268928e6ab..098986bc4a 100644 --- a/test/cli/test-mutate/foreach/addIfNotPresent/policies.yaml +++ b/test/cli/test-mutate/foreach/addIfNotPresent/policies.yaml @@ -24,4 +24,3 @@ spec: +(sizeLimit): 20Mi name: '{{ element.name }}' name: setDefault - validationFailureAction: Audit diff --git a/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml b/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml index de7e0f426e..de5b569302 100644 --- a/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml +++ b/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml @@ -27,4 +27,3 @@ spec: op: add value: "100m" name: add-default-requests - validationFailureAction: Audit diff --git a/test/cli/test-mutate/foreach/policies.yaml b/test/cli/test-mutate/foreach/policies.yaml index 387d307561..cf0daf0df1 100644 --- a/test/cli/test-mutate/foreach/policies.yaml +++ b/test/cli/test-mutate/foreach/policies.yaml @@ -27,7 +27,6 @@ spec: - key: '{{ request.operation }}' operator: Equals value: CREATE - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -53,4 +52,3 @@ spec: - image: registry.digitalocean.com/runlevl4/{{ images.containers."{{element.name}}".name}}:{{images.containers."{{element.name}}".tag}} name: '{{ element.name }}' name: test - validationFailureAction: Audit diff --git a/test/cli/test-mutate/patched-resource/policy.yaml b/test/cli/test-mutate/patched-resource/policy.yaml index 0e1164c84d..faba76ec40 100644 --- a/test/cli/test-mutate/patched-resource/policy.yaml +++ b/test/cli/test-mutate/patched-resource/policy.yaml @@ -29,4 +29,3 @@ spec: value: - CREATE - UPDATE - validationFailureAction: Audit diff --git a/test/cli/test-mutate/policy.yaml b/test/cli/test-mutate/policy.yaml index 5ae8d7a10e..39329b16f8 100644 --- a/test/cli/test-mutate/policy.yaml +++ b/test/cli/test-mutate/policy.yaml @@ -43,7 +43,6 @@ spec: - key: not-the-name operator: AllIn value: '{{ request.object.metadata.labels | keys(@) }}' - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: Policy @@ -75,7 +74,6 @@ spec: - name: ndots value: "1" name: add-ndots - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -104,4 +102,3 @@ spec: op: replace value: {{ annotations }} name: object_from_lists - validationFailureAction: Audit diff --git a/test/cli/test/admission_user_info/disallow_latest_tag.yaml b/test/cli/test/admission_user_info/disallow_latest_tag.yaml index d31ac874dd..c5e12d0936 100644 --- a/test/cli/test/admission_user_info/disallow_latest_tag.yaml +++ b/test/cli/test/admission_user_info/disallow_latest_tag.yaml @@ -21,6 +21,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -33,9 +34,9 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Audit diff --git a/test/cli/test/admission_user_info_deprecated/disallow_latest_tag.yaml b/test/cli/test/admission_user_info_deprecated/disallow_latest_tag.yaml new file mode 100644 index 0000000000..9b5c5c1bf1 --- /dev/null +++ b/test/cli/test/admission_user_info_deprecated/disallow_latest_tag.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Best Practices + policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead + to unexpected errors if the image changes. A best practice is to use an immutable + tag that maps to a specific version of an application pod. ' + name: disallow-latest-tag +spec: + validationFailureAction: Audit + admission: true + background: false + rules: + - match: + any: + - clusterRoles: + - cluster-admin + resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/cli/test/admission_user_info_deprecated/kyverno-test.yaml b/test/cli/test/admission_user_info_deprecated/kyverno-test.yaml new file mode 100644 index 0000000000..0ab6def4a2 --- /dev/null +++ b/test/cli/test/admission_user_info_deprecated/kyverno-test.yaml @@ -0,0 +1,26 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- disallow_latest_tag.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod1 + - myapp-pod2 + - myapp-pod3 + result: pass + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod1 + - myapp-pod2 + - myapp-pod3 + result: pass + rule: validate-image-tag +userinfo: user_info.yaml diff --git a/test/cli/test/admission_user_info_deprecated/resource.yaml b/test/cli/test/admission_user_info_deprecated/resource.yaml new file mode 100644 index 0000000000..3decae1d6e --- /dev/null +++ b/test/cli/test/admission_user_info_deprecated/resource.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod1 + labels: + app: myapp1 +spec: + containers: + - name: nginx + image: nginx:1.12 + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod2 + labels: + app: myapp2 +spec: + containers: + - name: nginx + image: nginx:1.12 + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod3 + labels: + app: myapp3 +spec: + containers: + - name: nginx + image: ngnix:1.12 diff --git a/test/cli/test/admission_user_info_deprecated/user_info.yaml b/test/cli/test/admission_user_info_deprecated/user_info.yaml new file mode 100644 index 0000000000..0ce75489fc --- /dev/null +++ b/test/cli/test/admission_user_info_deprecated/user_info.yaml @@ -0,0 +1,6 @@ +apiVersion: cli.kyverno.io/v1alpha1 +clusterRoles: +- cluster-admin +kind: UserInfo +userInfo: + username: molybdenum@somecorp.com diff --git a/test/cli/test/any-all-wildcard-deprecated/kyverno-test.yaml b/test/cli/test/any-all-wildcard-deprecated/kyverno-test.yaml new file mode 100644 index 0000000000..f3574e0b8f --- /dev/null +++ b/test/cli/test/any-all-wildcard-deprecated/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: disallow-protected-namespaces + resources: + - namespace2/test2 + - namespace1/test1 + result: fail + rule: disallow diff --git a/test/cli/test/any-all-wildcard-deprecated/policy.yaml b/test/cli/test/any-all-wildcard-deprecated/policy.yaml new file mode 100644 index 0000000000..f0710ff945 --- /dev/null +++ b/test/cli/test/any-all-wildcard-deprecated/policy.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-protected-namespaces +spec: + validationFailureAction: Enforce + admission: true + background: false + rules: + - match: + all: + - resources: + kinds: + - '*' + namespaces: + - namespace1 + - namespace2 + name: disallow + validate: + deny: {} + message: This resource is protected and changes are not allowed. diff --git a/test/cli/test/any-all-wildcard-deprecated/resource.yaml b/test/cli/test/any-all-wildcard-deprecated/resource.yaml new file mode 100644 index 0000000000..1181287739 --- /dev/null +++ b/test/cli/test/any-all-wildcard-deprecated/resource.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test1 + namespace: namespace1 +spec: + containers: + - name: nginx + image: nginx:latest + +--- +apiVersion: v1 +kind: Pod +metadata: + name: test2 + namespace: namespace2 +spec: + containers: + - name: nginx + image: nginx + +--- +apiVersion: v1 +kind: Pod +metadata: + name: test3 + namespace: namespace3 +spec: + containers: + - name: nginx + image: nginx \ No newline at end of file diff --git a/test/cli/test/any-all-wildcard/policy.yaml b/test/cli/test/any-all-wildcard/policy.yaml index 10e0614362..aa3e6737f2 100644 --- a/test/cli/test/any-all-wildcard/policy.yaml +++ b/test/cli/test/any-all-wildcard/policy.yaml @@ -17,6 +17,6 @@ spec: - namespace2 name: disallow validate: + validationFailureAction: Enforce deny: {} message: This resource is protected and changes are not allowed. - validationFailureAction: Enforce diff --git a/test/cli/test/any-namespaceSelector-deprecated/kyverno-test.yaml b/test/cli/test/any-namespaceSelector-deprecated/kyverno-test.yaml new file mode 100644 index 0000000000..1548fce3f3 --- /dev/null +++ b/test/cli/test/any-namespaceSelector-deprecated/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: enforce-pod-name + resources: + - test1/test-nginx + result: pass + rule: validate-name +variables: value.yaml diff --git a/test/cli/test/any-namespaceSelector-deprecated/policy.yaml b/test/cli/test/any-namespaceSelector-deprecated/policy.yaml new file mode 100644 index 0000000000..273c5b6b9d --- /dev/null +++ b/test/cli/test/any-namespaceSelector-deprecated/policy.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-pod-name +spec: + validationFailureAction: Audit + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: foo.com/managed-state + operator: In + values: + - managed + name: validate-name + validate: + message: The Pod must end with -nginx + pattern: + metadata: + name: '*-nginx' diff --git a/test/cli/test/any-namespaceSelector-deprecated/resource.yaml b/test/cli/test/any-namespaceSelector-deprecated/resource.yaml new file mode 100644 index 0000000000..23c2d7b9c9 --- /dev/null +++ b/test/cli/test/any-namespaceSelector-deprecated/resource.yaml @@ -0,0 +1,9 @@ +kind: Pod +apiVersion: v1 +metadata: + name: test-nginx + namespace: test1 +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/test/cli/test/any-namespaceSelector-deprecated/value.yaml b/test/cli/test/any-namespaceSelector-deprecated/value.yaml new file mode 100644 index 0000000000..aa46c70378 --- /dev/null +++ b/test/cli/test/any-namespaceSelector-deprecated/value.yaml @@ -0,0 +1,6 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +namespaceSelector: +- labels: + foo.com/managed-state: managed + name: test1 diff --git a/test/cli/test/any-namespaceSelector/policy.yaml b/test/cli/test/any-namespaceSelector/policy.yaml index 07d514a365..e94ac81003 100644 --- a/test/cli/test/any-namespaceSelector/policy.yaml +++ b/test/cli/test/any-namespaceSelector/policy.yaml @@ -20,8 +20,8 @@ spec: - managed name: validate-name validate: + validationFailureAction: Audit message: The Pod must end with -nginx pattern: metadata: name: '*-nginx' - validationFailureAction: Audit diff --git a/test/cli/test/anypattern_skip_error/policy.yaml b/test/cli/test/anypattern_skip_error/policy.yaml index 71cfbdde27..429682d339 100644 --- a/test/cli/test/anypattern_skip_error/policy.yaml +++ b/test/cli/test/anypattern_skip_error/policy.yaml @@ -14,6 +14,7 @@ spec: - Service name: check-loadbalancer-public validate: + validationFailureAction: Enforce anyPattern: - metadata: annotations: @@ -26,4 +27,3 @@ spec: message: Service of type 'LoadBalancer' is public and does not explicitly define network security. To use a public LB you must supply either spec[loadBalancerSourceRanges] or the 'service.beta.kubernetes.io/aws-load-balancer-security-groups' annotation. - validationFailureAction: Enforce diff --git a/test/cli/test/autogen-values/policy.yaml b/test/cli/test/autogen-values/policy.yaml index 93dddb86f5..a676919ef4 100644 --- a/test/cli/test/autogen-values/policy.yaml +++ b/test/cli/test/autogen-values/policy.yaml @@ -28,4 +28,4 @@ spec: validate: message: Do nothing! pattern: {} - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/autogen/policy.yaml b/test/cli/test/autogen/policy.yaml index 66c931e466..654bd3a764 100644 --- a/test/cli/test/autogen/policy.yaml +++ b/test/cli/test/autogen/policy.yaml @@ -14,10 +14,10 @@ spec: - Pod name: check-for-labels validate: + validationFailureAction: Enforce message: Both `app` and `owner` labels must be set on all workloads pattern: metadata: labels: app: ?* owner: ?* - validationFailureAction: Enforce diff --git a/test/cli/test/cel-preconditions-deprecated/disallow-host-path.yaml b/test/cli/test/cel-preconditions-deprecated/disallow-host-path.yaml new file mode 100644 index 0000000000..335c4c9bc6 --- /dev/null +++ b/test/cli/test/cel-preconditions-deprecated/disallow-host-path.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path +spec: + background: false + validationFailureAction: Audit + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Pod + celPreconditions: + - expression: "object.metadata.labels['color'] == 'red'" + name: "Label should be red" + validate: + cel: + expressions: + - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset." diff --git a/test/cli/test/cel-preconditions-deprecated/kyverno-test.yaml b/test/cli/test/cel-preconditions-deprecated/kyverno-test.yaml new file mode 100644 index 0000000000..2af80d4084 --- /dev/null +++ b/test/cli/test/cel-preconditions-deprecated/kyverno-test.yaml @@ -0,0 +1,27 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- disallow-host-path.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: disallow-host-path + resources: + - bad-pod + result: fail + rule: host-path +- kind: Pod + policy: disallow-host-path + resources: + - good-pod + result: pass + rule: host-path +- kind: Pod + policy: disallow-host-path + resources: + - skipped-pod + result: skip + rule: host-path diff --git a/test/cli/test/cel-preconditions-deprecated/resources.yaml b/test/cli/test/cel-preconditions-deprecated/resources.yaml new file mode 100644 index 0000000000..5fe865c154 --- /dev/null +++ b/test/cli/test/cel-preconditions-deprecated/resources.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Pod +metadata: + name: skipped-pod + labels: + color: blue +spec: + containers: + - name: nginx-container + image: nginx:latest + volumeMounts: + - name: hostpath-volume + mountPath: /var/www/html + volumes: + - name: hostpath-volume + hostPath: + path: /var/log +--- +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + labels: + color: red +spec: + containers: + - name: nginx-container + image: nginx:latest + volumeMounts: + - name: hostpath-volume + mountPath: /var/www/html + volumes: + - name: hostpath-volume + hostPath: + path: /var/log +--- +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + labels: + color: red +spec: + containers: + - name: nginx-container + image: nginx:latest + volumeMounts: + - name: hostpath-volume + mountPath: /var/www/html + volumes: + - name: hostpath-volume + emptyDir: {} diff --git a/test/cli/test/cel-preconditions/disallow-host-path.yaml b/test/cli/test/cel-preconditions/disallow-host-path.yaml index 924c501cbb..0fd6663ff4 100644 --- a/test/cli/test/cel-preconditions/disallow-host-path.yaml +++ b/test/cli/test/cel-preconditions/disallow-host-path.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -16,6 +15,7 @@ spec: - expression: "object.metadata.labels['color'] == 'red'" name: "Label should be red" validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/cli/test/check-deployment-namespace-cel/policy.yaml b/test/cli/test/check-deployment-namespace-cel/policy.yaml index d50a913abd..d54a0fc2e0 100644 --- a/test/cli/test/check-deployment-namespace-cel/policy.yaml +++ b/test/cli/test/check-deployment-namespace-cel/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-default-namespace spec: - validationFailureAction: Audit background: true rules: - name: validate-deployment-namespace @@ -13,6 +12,7 @@ spec: kinds: - Deployment validate: + validationFailureAction: Audit cel: expressions: - expression: "namespaceObject.metadata.name != 'default'" diff --git a/test/cli/test/container_reorder/policy.yml b/test/cli/test/container_reorder/policy.yml index d769e6df8d..879965e282 100644 --- a/test/cli/test/container_reorder/policy.yml +++ b/test/cli/test/container_reorder/policy.yml @@ -32,4 +32,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/context-entries/policies.yaml b/test/cli/test/context-entries/policies.yaml index 3491be0465..7d393b574f 100644 --- a/test/cli/test/context-entries/policies.yaml +++ b/test/cli/test/context-entries/policies.yaml @@ -21,6 +21,7 @@ spec: - Pod name: defined-value validate: + validationFailureAction: Audit deny: conditions: - key: '{{ example.test.nested.value }}' @@ -37,6 +38,7 @@ spec: - Pod name: defined-jmespath validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -54,6 +56,7 @@ spec: - Pod name: defined-jmespath-with-default validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -71,6 +74,7 @@ spec: - Pod name: defined-value-with-variable validate: + validationFailureAction: Audit deny: conditions: - key: '{{ obj.name }}' @@ -88,6 +92,7 @@ spec: - Pod name: defined-jmespath-with-default-variable validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -106,6 +111,7 @@ spec: - Pod name: defined-value-jmespath validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -127,6 +133,7 @@ spec: - Pod name: defined-value-jmespath-variable validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -148,6 +155,7 @@ spec: - Pod name: value-override validate: + validationFailureAction: Audit deny: conditions: any: @@ -170,6 +178,7 @@ spec: - Pod name: wildcard-match validate: + validationFailureAction: Audit deny: conditions: - key: A=* @@ -196,6 +205,7 @@ spec: - Pod name: items validate: + validationFailureAction: Audit deny: conditions: - key: '{{ obj }}' @@ -224,9 +234,9 @@ spec: - Pod name: unused-var validate: + validationFailureAction: Audit deny: conditions: - key: '{{ modifiedObj }}' operator: NotEqual value: '{{ expected }}' - validationFailureAction: Audit diff --git a/test/cli/test/context-foreach/policy.yaml b/test/cli/test/context-foreach/policy.yaml index f3d1af4cb6..c2cf2e89f6 100644 --- a/test/cli/test/context-foreach/policy.yaml +++ b/test/cli/test/context-foreach/policy.yaml @@ -14,6 +14,7 @@ spec: - Pod name: block-images validate: + validationFailureAction: Audit foreach: - context: - imageRegistry: @@ -26,4 +27,3 @@ spec: value: '{{ element.name }}' list: request.object.spec.containers message: Images containing built-in volumes are prohibited. - validationFailureAction: Audit diff --git a/test/cli/test/custom-functions/policy.yaml b/test/cli/test/custom-functions/policy.yaml index 3d8a0ec039..39daa7f61a 100644 --- a/test/cli/test/custom-functions/policy.yaml +++ b/test/cli/test/custom-functions/policy.yaml @@ -19,7 +19,7 @@ spec: - key: '{{base64_decode(request.object.data.value)}}' operator: NotEquals value: '{{request.object.metadata.labels.value}}' - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -42,7 +42,7 @@ spec: - key: '{{pattern_match(''prefix-*'', request.object.metadata.labels.value)}}' operator: Equals value: false - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -78,7 +78,7 @@ spec: - key: '{{ element.hostPath.path }}' operator: NotEquals value: "" - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -101,7 +101,7 @@ spec: operator: NotEquals value: b message: Test JMESPath - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -124,7 +124,7 @@ spec: operator: NotEquals value: a message: Test JMESPath - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -148,7 +148,7 @@ spec: value: '{{request.object.metadata.annotations.test | parse_yaml(@).array }}' message: Test JMESPath - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -175,4 +175,4 @@ spec: message: 'public key modulus mismatch: "{{ x509_decode(''{{request.object.data.cert}}'').PublicKey.N }}" != "{{ x509_decode(''{{base64_decode(''{{request.object.data.certB64}}'')}}'').PublicKey.N }}"' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/default_value_to_create/check-supplemental-groups.yaml b/test/cli/test/default_value_to_create/check-supplemental-groups.yaml index cae6766663..aa903ce9ab 100644 --- a/test/cli/test/default_value_to_create/check-supplemental-groups.yaml +++ b/test/cli/test/default_value_to_create/check-supplemental-groups.yaml @@ -39,4 +39,4 @@ spec: spec: =(securityContext): =(supplementalGroups): 100-200 | 500-600 - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml b/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml index 7e2183f41e..d15bf4fceb 100644 --- a/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml +++ b/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml @@ -30,4 +30,4 @@ spec: deny: {} message: Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users. - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml b/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml index 8289c11dbd..3b53ed4c84 100644 --- a/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml +++ b/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml @@ -26,4 +26,4 @@ spec: deny: {} message: Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users. - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml b/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml index 31bd7b7e90..758a42a548 100644 --- a/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml +++ b/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml @@ -35,4 +35,4 @@ spec: deny: {} message: Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users. - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml b/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml index 8a228bc3a6..13b68836e8 100644 --- a/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml +++ b/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny-pod-delete-match-opn-block spec: - validationFailureAction: Enforce background: false rules: - name: deny-pod-delete-match-opn-block @@ -15,6 +14,7 @@ spec: operations: - DELETE validate: + validationFailureAction: Enforce message: Pod cannot be deleted deny: {} diff --git a/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml b/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml index f532c01347..f0c0f18262 100644 --- a/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml +++ b/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny-pod-delete-validate-deny spec: - validationFailureAction: Enforce background: false rules: - name: deny-pod-delete-validate-deny @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: Pod cannot be deleted deny: conditions: diff --git a/test/cli/test/depecated_apis/policy.yaml b/test/cli/test/depecated_apis/policy.yaml index 74138799be..8a1e153a12 100644 --- a/test/cli/test/depecated_apis/policy.yaml +++ b/test/cli/test/depecated_apis/policy.yaml @@ -33,4 +33,4 @@ spec: deny: {} message: '{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/disallow-service/policy.yaml b/test/cli/test/disallow-service/policy.yaml index db8139f9d6..e48411f6ba 100644 --- a/test/cli/test/disallow-service/policy.yaml +++ b/test/cli/test/disallow-service/policy.yaml @@ -28,4 +28,4 @@ spec: anyPattern: - kind: '!Service' message: Can't create a service. Sorry... - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/exclude/policy.yaml b/test/cli/test/exclude/policy.yaml index 24e041062a..30a0d704ff 100644 --- a/test/cli/test/exclude/policy.yaml +++ b/test/cli/test/exclude/policy.yaml @@ -17,7 +17,6 @@ metadata: requests and memory limits. spec: background: true - validationFailureAction: enforce rules: - name: validate-resources match: @@ -37,6 +36,7 @@ spec: matchLabels: require-requests-limits.kyverno.io/exclude: "true" validate: + validationFailureAction: Enforce message: "CPU and memory resource requests and limits are required." pattern: spec: diff --git a/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml b/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml index b59d893b05..e8c9c08473 100644 --- a/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml +++ b/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml @@ -41,4 +41,4 @@ spec: operator: Equals value: "false" message: Exec'ing into Pods protected with the label `exec=false` is forbidden. - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/foreach-preconditions/policies.yaml b/test/cli/test/foreach-preconditions/policies.yaml index 2a6e7d3009..679f1a0a45 100644 --- a/test/cli/test/foreach-preconditions/policies.yaml +++ b/test/cli/test/foreach-preconditions/policies.yaml @@ -32,4 +32,4 @@ spec: operator: NotEquals value: "" message: Limits may not exceed 2.5x the requests. - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/foreach/policies.yaml b/test/cli/test/foreach/policies.yaml index fea5f29c46..8a985d60f9 100644 --- a/test/cli/test/foreach/policies.yaml +++ b/test/cli/test/foreach/policies.yaml @@ -25,7 +25,7 @@ spec: - (name): '{{element.name}}' mountPath: /tmp/* message: emptyDir volumes must be mounted under /tmp - validationFailureAction: Audit + validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -56,7 +56,7 @@ spec: volumeMounts: - <(name): '{{element.name}}' message: ephemeral-storage requests and limits are required for emptyDir volumes - validationFailureAction: Audit + validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -82,7 +82,7 @@ spec: value: ghcr.io list: request.object.spec.containers[].image message: images must begin with ghcr.io - validationFailureAction: Audit + validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -109,4 +109,4 @@ spec: elementScope: true list: request.object.spec.containers[].image message: images must begin with ghcr.io - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/images/digest/policies.yaml b/test/cli/test/images/digest/policies.yaml index 71a4f0c512..395942f833 100644 --- a/test/cli/test/images/digest/policies.yaml +++ b/test/cli/test/images/digest/policies.yaml @@ -22,4 +22,4 @@ spec: required: false useCache: true verifyDigest: true - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/images/secure-images/policies.yaml b/test/cli/test/images/secure-images/policies.yaml index 76e4937254..909335ccef 100644 --- a/test/cli/test/images/secure-images/policies.yaml +++ b/test/cli/test/images/secure-images/policies.yaml @@ -23,5 +23,5 @@ spec: required: true useCache: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/cli/test/images/signatures/policies.yaml b/test/cli/test/images/signatures/policies.yaml index a945aefa6b..b2d8e649d6 100644 --- a/test/cli/test/images/signatures/policies.yaml +++ b/test/cli/test/images/signatures/policies.yaml @@ -36,4 +36,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/images/verify-signature/policies.yaml b/test/cli/test/images/verify-signature/policies.yaml index 66cbc630fb..23c307aa7a 100644 --- a/test/cli/test/images/verify-signature/policies.yaml +++ b/test/cli/test/images/verify-signature/policies.yaml @@ -37,7 +37,7 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -81,4 +81,4 @@ spec: required: true useCache: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/jmespath-brackets/policy.yaml b/test/cli/test/jmespath-brackets/policy.yaml index eb9da57499..df68bd08fb 100644 --- a/test/cli/test/jmespath-brackets/policy.yaml +++ b/test/cli/test/jmespath-brackets/policy.yaml @@ -26,7 +26,7 @@ spec: a: "1" test: "" message: All pod labels must match except test - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -51,4 +51,4 @@ spec: value: false message: For creating a namespace you need to set the objectid of the Azure AD Group that needs access to this namespace as the aadobjectid label - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml b/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml index c51244e970..c6bc85b85f 100644 --- a/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml +++ b/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml @@ -56,4 +56,4 @@ spec: - CREATE message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/manifests/verify-signature/policies.yaml b/test/cli/test/manifests/verify-signature/policies.yaml index eaac2339c2..24fa3fc4c2 100644 --- a/test/cli/test/manifests/verify-signature/policies.yaml +++ b/test/cli/test/manifests/verify-signature/policies.yaml @@ -16,6 +16,7 @@ spec: name: test* name: validate-yaml validate: + validationFailureAction: Enforce manifests: attestors: - count: 1 @@ -42,6 +43,7 @@ spec: name: test* name: validate-yaml-multi-sig validate: + validationFailureAction: Enforce manifests: attestors: - entries: @@ -59,5 +61,4 @@ spec: FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== -----END PUBLIC KEY----- signatureAlgorithm: sha256 - validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/cli/test/mixed-deprecated/kyverno-test.yaml b/test/cli/test/mixed-deprecated/kyverno-test.yaml new file mode 100644 index 0000000000..7adbd64a61 --- /dev/null +++ b/test/cli/test/mixed-deprecated/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: ondemand + resources: + - user-foo/nodeselector-without-labels-on-mutation + result: fail + rule: ondemand-managed_by +- kind: Pod + policy: ondemand + resources: + - user-space/nodeselector-with-labels-on-mutation + result: pass + rule: ondemand-managed_by +- kind: Pod + patchedResource: patched-resource.yaml + policy: ondemand + resources: + - user-space/nodeselector-with-labels-on-mutation + result: pass + rule: ondemand-nodeselector diff --git a/test/cli/test/mixed-deprecated/patched-resource.yaml b/test/cli/test/mixed-deprecated/patched-resource.yaml new file mode 100644 index 0000000000..fb07e70fd3 --- /dev/null +++ b/test/cli/test/mixed-deprecated/patched-resource.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app.kubernetes.io/managed-by: open-ondemand + name: nodeselector-with-labels-on-mutation + namespace: user-space +spec: + containers: + - image: nginx:latest + name: nginx + nodeSelector: + osc.edu/role: ondemand diff --git a/test/cli/test/mixed-deprecated/patched-resource1.yaml b/test/cli/test/mixed-deprecated/patched-resource1.yaml new file mode 100644 index 0000000000..d7e6415eee --- /dev/null +++ b/test/cli/test/mixed-deprecated/patched-resource1.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nodeselector-without-labels-on-mutation + labels: + app.kubernetes.io/managed-by: "open-xyz" + namespace: user-foo +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/test/cli/test/mixed-deprecated/policy.yaml b/test/cli/test/mixed-deprecated/policy.yaml new file mode 100644 index 0000000000..260d62a4d1 --- /dev/null +++ b/test/cli/test/mixed-deprecated/policy.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/description: 'This Policy contains two different types of + rules that is validate as well as mutate. The validate rule validate against + the mutation or patches added by the mutate rule whereas mutate rule adds label + for nodeSelector "osc.edu/role: ondemand".' + name: ondemand +spec: + validationFailureAction: Audit + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + namespaces: + - user-?* + name: ondemand-managed_by + validate: + message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand' + pattern: + metadata: + labels: + app.kubernetes.io/managed-by: open-ondemand + - match: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/managed-by: open-ondemand + mutate: + patchStrategicMerge: + spec: + nodeSelector: + osc.edu/role: ondemand + name: ondemand-nodeselector diff --git a/test/cli/test/mixed-deprecated/resource.yaml b/test/cli/test/mixed-deprecated/resource.yaml new file mode 100644 index 0000000000..325a551052 --- /dev/null +++ b/test/cli/test/mixed-deprecated/resource.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nodeselector-with-labels-on-mutation + labels: + app.kubernetes.io/managed-by: open-ondemand + namespace: user-space +spec: + containers: + - name: nginx + image: nginx:latest + +--- +apiVersion: v1 +kind: Pod +metadata: + name: nodeselector-without-labels-on-mutation + labels: + app.kubernetes.io/managed-by: "open-xyz" + namespace: user-foo +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/test/cli/test/mixed/policy.yaml b/test/cli/test/mixed/policy.yaml index b2835e78b3..4acf77bd86 100644 --- a/test/cli/test/mixed/policy.yaml +++ b/test/cli/test/mixed/policy.yaml @@ -21,6 +21,7 @@ spec: - user-?* name: ondemand-managed_by validate: + validationFailureAction: Audit message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand' pattern: metadata: @@ -40,4 +41,3 @@ spec: nodeSelector: osc.edu/role: ondemand name: ondemand-nodeselector - validationFailureAction: Audit diff --git a/test/cli/test/multiple-validate-rules/policy.yaml b/test/cli/test/multiple-validate-rules/policy.yaml index f8649cdf0b..96c941f6db 100644 --- a/test/cli/test/multiple-validate-rules/policy.yaml +++ b/test/cli/test/multiple-validate-rules/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: restrict-service-ports spec: - validationFailureAction: Enforce background: true rules: - name: restrict-port-range @@ -18,6 +17,7 @@ spec: operator: Equals value: 'LoadBalancer' validate: + validationFailureAction: Enforce message: >- Only approved ports may be used for LoadBalancer services. foreach: @@ -38,6 +38,7 @@ spec: kinds: - Service validate: + validationFailureAction: Enforce message: "NodePort services are not allowed. This is {{ request.object.spec.type }}" pattern: spec: diff --git a/test/cli/test/multiple_condition_keys/policy.yaml b/test/cli/test/multiple_condition_keys/policy.yaml index de9dc89989..170ad7ea3f 100644 --- a/test/cli/test/multiple_condition_keys/policy.yaml +++ b/test/cli/test/multiple_condition_keys/policy.yaml @@ -23,4 +23,4 @@ spec: value: - busybox - busybox1 - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/mutate-keda-scaled-object/policy.yaml b/test/cli/test/mutate-keda-scaled-object/policy.yaml index ae62084e7b..f8f1bc290f 100644 --- a/test/cli/test/mutate-keda-scaled-object/policy.yaml +++ b/test/cli/test/mutate-keda-scaled-object/policy.yaml @@ -37,4 +37,3 @@ spec: value: - CREATE - UPDATE - validationFailureAction: Audit diff --git a/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml b/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml index dc4ee221a5..ec962a49bb 100644 --- a/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml +++ b/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml @@ -44,4 +44,4 @@ spec: metadata: labels: foo: '*' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml b/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml index da6261d101..157e35f404 100644 --- a/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml +++ b/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml @@ -37,4 +37,4 @@ spec: operator: NotEquals value: 2400 message: certificate duration must be < than 2400h (100 days) - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml b/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml index 5644a85a86..c1b649e41f 100644 --- a/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml +++ b/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml @@ -32,4 +32,4 @@ spec: status: nodeInfo: kernelVersion: '!5.10.84-1 & !5.15.5-2' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/owner_references/policy.yaml b/test/cli/test/owner_references/policy.yaml index e0e0fc7473..2e6e80763a 100644 --- a/test/cli/test/owner_references/policy.yaml +++ b/test/cli/test/owner_references/policy.yaml @@ -28,4 +28,4 @@ spec: periodSeconds: '>0' readinessProbe: periodSeconds: '>0' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/policy-reports-skip-validation/policy.yaml b/test/cli/test/policy-reports-skip-validation/policy.yaml index 74ac8ac20c..3bdbfcc86f 100644 --- a/test/cli/test/policy-reports-skip-validation/policy.yaml +++ b/test/cli/test/policy-reports-skip-validation/policy.yaml @@ -33,4 +33,4 @@ spec: operator: AnyNotIn value: '{{request.object.metadata.keys(@)}}' message: naked pods are not allowed - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/preconditions/policy.yaml b/test/cli/test/preconditions/policy.yaml index f1f9e52f3e..b2550396ab 100644 --- a/test/cli/test/preconditions/policy.yaml +++ b/test/cli/test/preconditions/policy.yaml @@ -24,4 +24,4 @@ spec: spec: containers: - name: '*busybox*' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/rangeoperators/policy.yaml b/test/cli/test/rangeoperators/policy.yaml index d6fff22c6c..45954368e5 100644 --- a/test/cli/test/rangeoperators/policy.yaml +++ b/test/cli/test/rangeoperators/policy.yaml @@ -22,4 +22,4 @@ spec: fourth_value: 2.5-3.5 second_value: -2-5 third_value: 100Mi!-1024Mi - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/resource_lists/policy.yaml b/test/cli/test/resource_lists/policy.yaml index e8dd213bfa..fe3259fc1b 100644 --- a/test/cli/test/resource_lists/policy.yaml +++ b/test/cli/test/resource_lists/policy.yaml @@ -19,6 +19,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -31,9 +32,9 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Audit diff --git a/test/cli/test/restrict-something/policy.yaml b/test/cli/test/restrict-something/policy.yaml index a8337c4ed1..fe75ee740b 100644 --- a/test/cli/test/restrict-something/policy.yaml +++ b/test/cli/test/restrict-something/policy.yaml @@ -16,6 +16,7 @@ spec: - foo name: validate-some-foo validate: + validationFailureAction: Audit deny: conditions: - key: '{{ images.containers.*.registry }}' @@ -35,6 +36,7 @@ spec: - Pod name: validate-some-non-foo validate: + validationFailureAction: Audit deny: conditions: - key: '{{ images.containers.*.registry }}' @@ -42,4 +44,3 @@ spec: value: - bar.io message: Unknown image registry. - validationFailureAction: Audit diff --git a/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml b/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml index 1a848dea8d..9ca6c6123d 100644 --- a/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml +++ b/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml @@ -39,6 +39,7 @@ spec: operator: AllIn value: '{{ hosts }}' validate: + validationFailureAction: Audit deny: {} message: The Ingress host name must be unique. - match: @@ -56,6 +57,6 @@ spec: operator: GreaterThan value: 1 validate: + validationFailureAction: Audit deny: {} message: An Ingress resource may only contain a single host entry. - validationFailureAction: Audit diff --git a/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml b/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml index cbae90f9a3..51a82f64f2 100644 --- a/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml +++ b/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml @@ -23,4 +23,4 @@ spec: pattern: spec: replicas: 2 - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/secret/policy.yaml b/test/cli/test/secret/policy.yaml index 1f7c66b242..fe3570caf4 100644 --- a/test/cli/test/secret/policy.yaml +++ b/test/cli/test/secret/policy.yaml @@ -18,4 +18,3 @@ spec: labels: kyverno.com/maintainer: test name: add-maintainer - validationFailureAction: Audit diff --git a/test/cli/test/simple/policy.yaml b/test/cli/test/simple/policy.yaml index 0b57d822fb..de1ccf5506 100644 --- a/test/cli/test/simple/policy.yaml +++ b/test/cli/test/simple/policy.yaml @@ -19,6 +19,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -33,12 +34,12 @@ spec: - test name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -62,6 +63,7 @@ spec: operator: GreaterThan value: 8h message: Pod lifetime exceeds limit of 8h + validationFailureAction: Enforce - match: any: - resources: @@ -76,6 +78,7 @@ spec: operator: LessThan value: 8h message: Pod lifetime under limit of 8h + validationFailureAction: Enforce - match: any: - resources: @@ -90,6 +93,7 @@ spec: operator: GreaterThanOrEquals value: 8h message: Pod lifetime exceeds limit of 8h + validationFailureAction: Enforce - match: any: - resources: @@ -104,7 +108,7 @@ spec: operator: LessThanOrEquals value: 8h message: Pod lifetime under limit of 8h - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -148,4 +152,4 @@ spec: operator: GreaterThan value: 10 message: A maximum of 10 Pods are allowed on the Node `minikube` - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/unordered-context-variables/policy.yaml b/test/cli/test/unordered-context-variables/policy.yaml index dbee1a6355..9420798a34 100644 --- a/test/cli/test/unordered-context-variables/policy.yaml +++ b/test/cli/test/unordered-context-variables/policy.yaml @@ -28,4 +28,4 @@ spec: spec: =(hostIPC): false =(hostPID): false - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/update/policy.yaml b/test/cli/test/update/policy.yaml index 6eaa67aca9..a91696297d 100644 --- a/test/cli/test/update/policy.yaml +++ b/test/cli/test/update/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-update-no-label-change spec: - validationFailureAction: Audit background: false rules: - name: check-label-change @@ -18,6 +17,7 @@ spec: operator: Equals value: UPDATE validate: + validationFailureAction: Audit message: Pass only if labels are different deny: conditions: diff --git a/test/cli/test/variables-deprecated/cm-array-example.yaml b/test/cli/test/variables-deprecated/cm-array-example.yaml new file mode 100644 index 0000000000..b724cec277 --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-array-example.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-array-example +spec: + admission: true + background: false + rules: + - context: + - configMap: + name: roles-dictionary + namespace: default + name: roles-dictionary + match: + any: + - resources: + kinds: + - Pod + name: validate-role-annotation + validate: + deny: + conditions: + - key: '{{ request.object.metadata.annotations.role }}' + operator: NotIn + value: '{{ "roles-dictionary".data."allowed-roles" }}' + message: 'The role {{ request.object.metadata.annotations.role }} is not in + the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' + validationFailureAction: Enforce diff --git a/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml b/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml new file mode 100644 index 0000000000..ea727b52c1 --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-blk-scalar-example +spec: + admission: true + background: false + rules: + - context: + - configMap: + name: roles-dictionary + namespace: default + name: roles-dictionary + match: + any: + - resources: + kinds: + - Pod + name: validate-blk-role-annotation + validate: + deny: + conditions: + - key: '{{ request.object.metadata.annotations.role }}' + operator: NotIn + value: '{{ "roles-dictionary".data."allowed-roles" }}' + message: 'The role {{ request.object.metadata.annotations.role }} is not in + the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' + validationFailureAction: Enforce diff --git a/test/cli/test/variables-deprecated/cm-globalval-example.yaml b/test/cli/test/variables-deprecated/cm-globalval-example.yaml new file mode 100644 index 0000000000..0b36123763 --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-globalval-example.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-globalval-example +spec: + admission: true + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: validate-mode + validate: + deny: + conditions: + - key: '{{ request.mode }}' + operator: NotEquals + value: dev + message: The value {{ request.mode }} for val1 is not equal to 'dev'. + validationFailureAction: Enforce diff --git a/test/cli/test/variables-deprecated/cm-multiple-example.yaml b/test/cli/test/variables-deprecated/cm-multiple-example.yaml new file mode 100644 index 0000000000..6f6bca9537 --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-multiple-example.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-multiple-example +spec: + admission: true + background: true + rules: + - context: + - configMap: + name: some-config-map + namespace: some-namespace + name: dictionary + - configMap: + name: another-config-map + namespace: some-namespace + name: anotherdictionary + match: + any: + - resources: + kinds: + - Pod + name: example-configmap-lookup + validate: + pattern: + metadata: + labels: + my-environment-name: '{{dictionary.data.env || anotherdictionary.data.env + }}' + validationFailureAction: Audit diff --git a/test/cli/test/variables-deprecated/cm-variable-example.yaml b/test/cli/test/variables-deprecated/cm-variable-example.yaml new file mode 100644 index 0000000000..e25c2c7014 --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-variable-example.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-variable-example +spec: + admission: true + background: true + rules: + - context: + - configMap: + name: some-config-map + namespace: some-namespace + name: dictionary + match: + any: + - resources: + kinds: + - Pod + name: example-configmap-lookup + validate: + pattern: + metadata: + labels: + my-environment-name: '{{dictionary.data.env}}' + validationFailureAction: Audit diff --git a/test/cli/test/variables-deprecated/image-example.yaml b/test/cli/test/variables-deprecated/image-example.yaml new file mode 100644 index 0000000000..1ddc5ac9ea --- /dev/null +++ b/test/cli/test/variables-deprecated/image-example.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: images +spec: + admission: true + background: true + validationFailureAction: Enforce + rules: + - match: + any: + - resources: + kinds: + - Pod + name: only-allow-trusted-images + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + validate: + foreach: + - context: + - imageRegistry: + reference: '{{ element.image }}' + name: imageData + deny: + conditions: + all: + - key: '{{ imageData.configData.config.User || ''''}}' + operator: Equals + value: "" + - key: '{{ imageData.registry }}' + operator: NotEquals + value: ghcr.io + list: request.object.spec.containers + message: images with root user are not allowed diff --git a/test/cli/test/variables-deprecated/kyverno-test.yaml b/test/cli/test/variables-deprecated/kyverno-test.yaml new file mode 100644 index 0000000000..7186411884 --- /dev/null +++ b/test/cli/test/variables-deprecated/kyverno-test.yaml @@ -0,0 +1,88 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- cm-variable-example.yaml +- cm-multiple-example.yaml +- cm-array-example.yaml +- cm-blk-scalar-example.yaml +- cm-globalval-example.yaml +- image-example.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: cm-array-example + resources: + - test-web + result: fail + rule: validate-role-annotation +- kind: Pod + policy: cm-array-example + resources: + - test-app + result: pass + rule: validate-role-annotation +- kind: Pod + policy: cm-blk-scalar-example + resources: + - test-blk-web + result: fail + rule: validate-blk-role-annotation +- kind: Pod + policy: cm-blk-scalar-example + resources: + - test-blk-app + result: pass + rule: validate-blk-role-annotation +- kind: Pod + policy: cm-globalval-example + resources: + - test-global-prod + result: fail + rule: validate-mode +- kind: Pod + policy: cm-globalval-example + resources: + - test-global-dev + result: pass + rule: validate-mode +- kind: Pod + policy: cm-multiple-example + resources: + - test-env-dev + result: fail + rule: example-configmap-lookup +- kind: Pod + policy: cm-multiple-example + resources: + - test-env-test + result: pass + rule: example-configmap-lookup +- kind: Pod + policy: cm-variable-example + resources: + - test-env-dev + result: fail + rule: example-configmap-lookup +- kind: Pod + policy: cm-variable-example + resources: + - test-env-test + result: pass + rule: example-configmap-lookup +- kind: Pod + policy: images + resources: + - test-pod-with-non-trusted-registry + result: fail + rule: only-allow-trusted-images +- kind: Pod + policy: images + resources: + - test-pod-with-non-root-user-image + - test-pod-with-trusted-registry + result: pass + rule: only-allow-trusted-images +variables: variables.yaml diff --git a/test/cli/test/variables-deprecated/resources.yaml b/test/cli/test/variables-deprecated/resources.yaml new file mode 100644 index 0000000000..87ebc09296 --- /dev/null +++ b/test/cli/test/variables-deprecated/resources.yaml @@ -0,0 +1,110 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-env-test + labels: + my-environment-name: test +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-env-dev + labels: + my-environment-name: dev +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-web + annotations: + role: web +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-app + annotations: + role: app +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-blk-web + annotations: + role: web +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-blk-app + annotations: + role: app +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-global-prod +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-global-dev +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-with-non-root-user-image +spec: + containers: + - name: nginx + image: nginx:1.14.2 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-with-trusted-registry +spec: + containers: + - name: kyverno + image: ghcr.io/kyverno/kyverno +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-with-non-trusted-registry +spec: + containers: + - name: not-kyverno + image: gcr.io/not-kyverno/kyverno diff --git a/test/cli/test/variables-deprecated/variables.yaml b/test/cli/test/variables-deprecated/variables.yaml new file mode 100644 index 0000000000..ee0d6d8c7c --- /dev/null +++ b/test/cli/test/variables-deprecated/variables.yaml @@ -0,0 +1,79 @@ +apiVersion: cli.kyverno.io/v1alpha1 +globalValues: + request.mode: dev +kind: Values +policies: +- name: cm-multiple-example + rules: + - name: example-configmap-lookup + values: + anotherdictionary.data.env: test + dictionary.data.env: "" +- name: cm-variable-example + resources: + - name: test-env-test + values: + request.object.metadata.name: test-env-test + - name: test-env-dev + values: + request.object.metadata.name: test-env-dev + rules: + - name: example-configmap-lookup + values: + dictionary: + data: + env: test +- name: cm-array-example + resources: + - name: test-web + values: + request.object.metadata.annotations.role: web + - name: test-app + values: + request.object.metadata.annotations.role: app + rules: + - name: validate-role-annotation + values: + roles-dictionary.data.allowed-roles: '["app","test"]' +- name: cm-blk-scalar-example + resources: + - name: test-blk-web + values: + request.object.metadata.annotations.role: web + - name: test-blk-app + values: + request.object.metadata.annotations.role: app + rules: + - name: validate-blk-role-annotation + values: + roles-dictionary.data.allowed-roles: '["app", "test"]' +- name: cm-globalval-example + resources: + - name: test-global-prod + values: + request.mode: prod +- name: images + resources: + - name: test-pod-with-non-root-user-image + values: + element.name: nginx + imageData.configData.config.User: nginx + imageData.registry: index.docker.io + - name: test-pod-with-trusted-registry + values: + element.name: kyverno + imageData.configData.config.User: "" + imageData.registry: ghcr.io + - name: test-pod-with-non-trusted-registry + values: + element: + name: not-kyverno + imageData: + configData: + config: + User: "" + registry: gcr.io + rules: + - name: only-allow-trusted-images + values: + request.operation: CREATE diff --git a/test/cli/test/variables/cm-array-example.yaml b/test/cli/test/variables/cm-array-example.yaml index d078f090ca..b724cec277 100644 --- a/test/cli/test/variables/cm-array-example.yaml +++ b/test/cli/test/variables/cm-array-example.yaml @@ -26,4 +26,4 @@ spec: value: '{{ "roles-dictionary".data."allowed-roles" }}' message: 'The role {{ request.object.metadata.annotations.role }} is not in the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/variables/cm-blk-scalar-example.yaml b/test/cli/test/variables/cm-blk-scalar-example.yaml index 44130771d4..ea727b52c1 100644 --- a/test/cli/test/variables/cm-blk-scalar-example.yaml +++ b/test/cli/test/variables/cm-blk-scalar-example.yaml @@ -26,4 +26,4 @@ spec: value: '{{ "roles-dictionary".data."allowed-roles" }}' message: 'The role {{ request.object.metadata.annotations.role }} is not in the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/variables/cm-globalval-example.yaml b/test/cli/test/variables/cm-globalval-example.yaml index 8faf1a5223..0b36123763 100644 --- a/test/cli/test/variables/cm-globalval-example.yaml +++ b/test/cli/test/variables/cm-globalval-example.yaml @@ -20,4 +20,4 @@ spec: operator: NotEquals value: dev message: The value {{ request.mode }} for val1 is not equal to 'dev'. - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/variables/cm-multiple-example.yaml b/test/cli/test/variables/cm-multiple-example.yaml index 14fccbe5ce..6f6bca9537 100644 --- a/test/cli/test/variables/cm-multiple-example.yaml +++ b/test/cli/test/variables/cm-multiple-example.yaml @@ -28,4 +28,4 @@ spec: labels: my-environment-name: '{{dictionary.data.env || anotherdictionary.data.env }}' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/variables/cm-variable-example.yaml b/test/cli/test/variables/cm-variable-example.yaml index 7cf02aafe6..e25c2c7014 100644 --- a/test/cli/test/variables/cm-variable-example.yaml +++ b/test/cli/test/variables/cm-variable-example.yaml @@ -23,4 +23,4 @@ spec: metadata: labels: my-environment-name: '{{dictionary.data.env}}' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/variables/image-example.yaml b/test/cli/test/variables/image-example.yaml index e1a7bc2fcd..7ce05f3201 100644 --- a/test/cli/test/variables/image-example.yaml +++ b/test/cli/test/variables/image-example.yaml @@ -35,4 +35,4 @@ spec: value: ghcr.io list: request.object.spec.containers message: images with root user are not allowed - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/wildcard_match_label_selector/policy.yaml b/test/cli/test/wildcard_match_label_selector/policy.yaml index 3b225b3a74..6cb200033a 100644 --- a/test/cli/test/wildcard_match_label_selector/policy.yaml +++ b/test/cli/test/wildcard_match_label_selector/policy.yaml @@ -17,6 +17,7 @@ spec: protected: '*' name: wildcard-label validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -32,6 +33,7 @@ spec: protected: '*-test' name: label-end-with-test validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -52,4 +54,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/wildcard_mutate/policy.yaml b/test/cli/test/wildcard_mutate/policy.yaml index d203af3dee..c8667728b0 100644 --- a/test/cli/test/wildcard_mutate/policy.yaml +++ b/test/cli/test/wildcard_mutate/policy.yaml @@ -19,4 +19,3 @@ spec: annotations: test: app name: mutate-wildcard - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/autogen/conditions-deprecated/README.md b/test/conformance/chainsaw/autogen/conditions-deprecated/README.md new file mode 100644 index 0000000000..e52cebc4c0 --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +The policy should contain autogen rules with deny conditions correctly adjusted. + +## Expected Behavior + +The policy contains autogen rules with deny conditions correctly adjusted. + +## Related Issue(s) + +- https://github.com/kyverno/kyverno/issues/7566 diff --git a/test/conformance/chainsaw/autogen/conditions-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/conditions-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..be01acaeff --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: conditions +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/conditions-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/conditions-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..561108308b --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions-deprecated/policy-assert.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-annotations +spec: {} +status: + autogen: + rules: + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - ReplicaSet + - ReplicationController + - StatefulSet + name: autogen-allowed-fluxcd-annotations + validate: + deny: + conditions: + all: + - key: '{{ request.object.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-allowed-fluxcd-annotations + validate: + deny: + conditions: + all: + - key: '{{ request.object.spec.jobTemplate.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/autogen/conditions-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/conditions-deprecated/policy.yaml new file mode 100644 index 0000000000..fc38471aba --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions-deprecated/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-annotations +spec: + validationFailureAction: Enforce + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: allowed-fluxcd-annotations + validate: + deny: + conditions: + all: + - key: '{{ request.object.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. diff --git a/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml b/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml index 561108308b..1a19e25a56 100644 --- a/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml @@ -27,6 +27,7 @@ status: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + validationFailureAction: Enforce - match: any: - resources: @@ -43,6 +44,7 @@ status: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + validationFailureAction: Enforce conditions: - reason: Succeeded status: "True" diff --git a/test/conformance/chainsaw/autogen/conditions/policy.yaml b/test/conformance/chainsaw/autogen/conditions/policy.yaml index e0d1a7d0ef..580fc91ca7 100644 --- a/test/conformance/chainsaw/autogen/conditions/policy.yaml +++ b/test/conformance/chainsaw/autogen/conditions/policy.yaml @@ -12,6 +12,7 @@ spec: - Pod name: allowed-fluxcd-annotations validate: + validationFailureAction: Enforce deny: conditions: all: @@ -21,4 +22,3 @@ spec: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/README.md b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/README.md new file mode 100644 index 0000000000..95624aac6e --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +The policy should contain autogen rules for cronjobs and deployments because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob` annotation. + +## Expected Behavior + +The policy gets created and contains a autogen rules for cronjobs and deployments in the status. + +## Related Issue(s) + +- https://github.com/kyverno/kyverno/issues/7444 diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..42af2f2e71 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: deployment-cronjob +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..181e0a9df1 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy-assert.yaml @@ -0,0 +1,98 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - Deployment + name: autogen-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Deployment + name: autogen-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + template: + spec: + containers: + - image: '!*:latest' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy.yaml new file mode 100644 index 0000000000..467a033ab3 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml index 181e0a9df1..1b67b0ff8a 100644 --- a/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -43,6 +44,7 @@ status: - Deployment name: autogen-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -57,6 +59,7 @@ status: - CronJob name: autogen-cronjob-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -73,6 +76,7 @@ status: - Deployment name: autogen-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -87,6 +91,7 @@ status: - CronJob name: autogen-cronjob-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml index 467a033ab3..90a9cf0664 100644 --- a/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml index 29025bc3ed..3a94b5bf78 100644 --- a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -45,6 +46,7 @@ status: - StatefulSet name: autogen-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -61,6 +63,7 @@ status: - StatefulSet name: autogen-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml index eecb0fd7c8..ffa40232a3 100644 --- a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: Deployment,StatefulSet,Job spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/none-deprecated/README.md b/test/conformance/chainsaw/autogen/none-deprecated/README.md new file mode 100644 index 0000000000..b7c8e1c1ba --- /dev/null +++ b/test/conformance/chainsaw/autogen/none-deprecated/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should contain no autogen rules because it has the `pod-policies.kyverno.io/autogen-controllers: none` annotation. + +## Expected Behavior + +The policy gets created and have no autogen rules recorded in the status. diff --git a/test/conformance/chainsaw/autogen/none-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/none-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..cbcce6f996 --- /dev/null +++ b/test/conformance/chainsaw/autogen/none-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: none +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/none-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/none-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..20ea7d32a6 --- /dev/null +++ b/test/conformance/chainsaw/autogen/none-deprecated/policy-assert.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: {} diff --git a/test/conformance/chainsaw/autogen/none-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/none-deprecated/policy.yaml new file mode 100644 index 0000000000..9c4a105a85 --- /dev/null +++ b/test/conformance/chainsaw/autogen/none-deprecated/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/none/policy-assert.yaml b/test/conformance/chainsaw/autogen/none/policy-assert.yaml index 20ea7d32a6..e0fe17bbb4 100644 --- a/test/conformance/chainsaw/autogen/none/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/none/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/none/policy.yaml b/test/conformance/chainsaw/autogen/none/policy.yaml index 9c4a105a85..3c26e24d3e 100644 --- a/test/conformance/chainsaw/autogen/none/policy.yaml +++ b/test/conformance/chainsaw/autogen/none/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml b/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml index 19687d3167..e599ce36c9 100644 --- a/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -43,6 +44,7 @@ status: - CronJob name: autogen-cronjob-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -59,6 +61,7 @@ status: - CronJob name: autogen-cronjob-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml b/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml index 4fd854b997..41767bd475 100644 --- a/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml +++ b/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: CronJob spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml b/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml index 53441000e5..351fa60188 100644 --- a/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -43,6 +44,7 @@ status: - Deployment name: autogen-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -57,6 +59,7 @@ status: - Deployment name: autogen-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-deployment/policy.yaml b/test/conformance/chainsaw/autogen/only-deployment/policy.yaml index 3f124a8a67..54c416fbf9 100644 --- a/test/conformance/chainsaw/autogen/only-deployment/policy.yaml +++ b/test/conformance/chainsaw/autogen/only-deployment/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: Deployment spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/restrict-image-registries/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/restrict-image-registries/chainsaw-test.yaml new file mode 100755 index 0000000000..924b001247 --- /dev/null +++ b/test/conformance/chainsaw/autogen/restrict-image-registries/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-image-registries +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - script: + content: kubectl run nginx-1 --image nginx + check: + ($error != null): true + (contains($stderr, 'rule validate-registries failed at path /spec/containers/0/image/')): true + - name: step-03 + try: + - script: + content: kubectl create deployment testing --image=nginx --replicas=1 + check: + ($error != null): true + (contains($stderr, 'rule autogen-validate-registries failed at path /spec/template/spec/containers/0/image/')): true + - name: step-04 + try: + - script: + content: kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *" + check: + ($error != null): true + (contains($stderr, 'rule autogen-cronjob-validate-registries failed')): true diff --git a/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml b/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml new file mode 100644 index 0000000000..63fafdfe8f --- /dev/null +++ b/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml @@ -0,0 +1,69 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +spec: + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: validate-registries + skipBackgroundRequests: true + validate: + message: Images may only come from our internal enterprise registry. + pattern: + spec: + containers: + - image: registry.domain.com/* + validationFailureAction: Enforce +status: + autogen: + rules: + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - ReplicaSet + - ReplicationController + - StatefulSet + name: autogen-validate-registries + skipBackgroundRequests: true + validate: + message: Images may only come from our internal enterprise registry. + pattern: + spec: + template: + spec: + containers: + - image: registry.domain.com/* + validationFailureAction: Enforce + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-validate-registries + skipBackgroundRequests: true + validate: + message: Images may only come from our internal enterprise registry. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: registry.domain.com/* + validationFailureAction: Enforce + conditions: + - message: Ready + reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml b/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml new file mode 100644 index 0000000000..5ee3ad7cf6 --- /dev/null +++ b/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml @@ -0,0 +1,19 @@ +apiVersion : kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +spec: + rules: + - name: validate-registries + match: + any: + - resources: + kinds: + - Pod + validate: + validationFailureAction: Enforce + message: "Images may only come from our internal enterprise registry." + pattern: + spec: + containers: + - image: "registry.domain.com/*" diff --git a/test/conformance/chainsaw/autogen/should-autogen-deprecated/README.md b/test/conformance/chainsaw/autogen/should-autogen-deprecated/README.md new file mode 100644 index 0000000000..bbbe68d45f --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen-deprecated/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should contain all autogen rules. + +## Expected Behavior + +The policy gets created and contains all autogen rules in the status. diff --git a/test/conformance/chainsaw/autogen/should-autogen-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/should-autogen-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..460a82615b --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: should-autogen +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..08fc068652 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy-assert.yaml @@ -0,0 +1,108 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - ReplicaSet + - ReplicationController + - StatefulSet + name: autogen-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - ReplicaSet + - ReplicationController + - StatefulSet + name: autogen-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + template: + spec: + containers: + - image: '!*:latest' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy.yaml new file mode 100644 index 0000000000..0e4770f3e7 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml index 08fc068652..952e639d43 100644 --- a/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -48,6 +49,7 @@ status: - StatefulSet name: autogen-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -62,6 +64,7 @@ status: - CronJob name: autogen-cronjob-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -83,6 +86,7 @@ status: - StatefulSet name: autogen-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -97,6 +101,7 @@ status: - CronJob name: autogen-cronjob-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-autogen/policy.yaml b/test/conformance/chainsaw/autogen/should-autogen/policy.yaml index 0e4770f3e7..3fbaa4c1d2 100644 --- a/test/conformance/chainsaw/autogen/should-autogen/policy.yaml +++ b/test/conformance/chainsaw/autogen/should-autogen/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/README.md b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/README.md new file mode 100644 index 0000000000..3e7d26726f --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should not contain autogen rules as autogen should not apply to the policy (it's not a `Pod` only policy). + +## Expected Behavior + +The policy gets created and contains no autogen rules in the status. diff --git a/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..c69b1907bd --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: should-not-autogen +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..e16f08f265 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy-assert.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + - Deployment + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: {} diff --git a/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy.yaml new file mode 100644 index 0000000000..62a1223e67 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + - Deployment + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml index e16f08f265..b93773c82d 100644 --- a/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -13,6 +12,7 @@ spec: - Deployment name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -25,6 +25,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml index 62a1223e67..f1a824139f 100644 --- a/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml +++ b/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -13,6 +12,7 @@ spec: - Deployment name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -25,6 +25,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/README.md b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/README.md new file mode 100644 index 0000000000..8e7d11859b --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission event is created. +One background event is created. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/admission-event.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/admission-event.yaml new file mode 100644 index 0000000000..a2e37ce4a1 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/admission-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/background-event.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/background-event.yaml new file mode 100644 index 0000000000..8a25b544c0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/background-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-scan diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..1b04d86664 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: no-admission-event +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - assert: + file: background-event.yaml + - error: + file: admission-event.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..4e2954e278 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy.yaml new file mode 100644 index 0000000000..9ba9837c46 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml index 9ba9837c46..6431b95be2 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/README.md b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/README.md new file mode 100644 index 0000000000..2ca354e9f6 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission report is created. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/admission-report.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/admission-report.yaml new file mode 100644 index 0000000000..edafe07432 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/admission-report.yaml @@ -0,0 +1,7 @@ +apiVersion: reports.kyverno.io/v1 +kind: EphemeralReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: pod diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..19248d7484 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: no-admission-report +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - error: + file: admission-report.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..4e2954e278 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy.yaml new file mode 100644 index 0000000000..9ba9837c46 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml index 9ba9837c46..6431b95be2 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/README.md b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/README.md new file mode 100644 index 0000000000..89489ef465 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..cb87369ca5 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: not-rejected +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..4e2954e278 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy.yaml new file mode 100644 index 0000000000..9ba9837c46 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml index 9ba9837c46..6431b95be2 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/README.md b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/README.md new file mode 100644 index 0000000000..8e7d11859b --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission event is created. +One background event is created. diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/admission-event.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/admission-event.yaml new file mode 100644 index 0000000000..a2e37ce4a1 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/admission-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/background-event.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/background-event.yaml new file mode 100644 index 0000000000..8a25b544c0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/background-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-scan diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..1b04d86664 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: no-admission-event +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - assert: + file: background-event.yaml + - error: + file: admission-event.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..d3196721f2 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy.yaml new file mode 100644 index 0000000000..92bab90832 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml index 92bab90832..91a845df05 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/README.md b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/README.md new file mode 100644 index 0000000000..2ca354e9f6 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission report is created. diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/admission-report.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/admission-report.yaml new file mode 100644 index 0000000000..edafe07432 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/admission-report.yaml @@ -0,0 +1,7 @@ +apiVersion: reports.kyverno.io/v1 +kind: EphemeralReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: pod diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..19248d7484 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: no-admission-report +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - error: + file: admission-report.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..d3196721f2 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy.yaml new file mode 100644 index 0000000000..92bab90832 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml index 92bab90832..91a845df05 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/README.md b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/README.md new file mode 100644 index 0000000000..89489ef465 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..cb87369ca5 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: not-rejected +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..d3196721f2 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy.yaml new file mode 100644 index 0000000000..92bab90832 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml index 92bab90832..91a845df05 100644 --- a/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml index 4bb661fe1d..e2c116d3dd 100644 --- a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml +++ b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-run-as-non-root-user spec: - validationFailureAction: Enforce background: true rules: - name: run-as-non-root-user @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: >- Running the container as root user is not allowed. pattern: diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/chainsaw-test.yaml new file mode 100644 index 0000000000..1ad9aee701 --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: basic +spec: + concurrent: false + namespace: foo + steps: + - try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - script: + content: kubectl run -n $NAMESPACE test-sigstore --image=$TEST_IMAGE_URL + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/pod-assert.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/pod-assert.yaml new file mode 100644 index 0000000000..bdf06e1e5d --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/pod-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-sigstore diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy-assert.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..d622499100 --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: basic-sigstore-test-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy.yaml new file mode 100644 index 0000000000..bbf59ae311 --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: basic-sigstore-test-policy +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: keyed-basic-rule + match: + any: + - resources: + kinds: + - Pod + context: + - name: tufvalues + configMap: + name: tufvalues + namespace: kyverno + verifyImages: + - imageReferences: + - "ttl.sh/*" + attestors: + - count: 1 + entries: + - keyless: + issuer: "https://kubernetes.default.svc.cluster.local" + subject: "https://kubernetes.io/namespaces/default/serviceaccounts/default" + rekor: + url: "{{ tufvalues.data.REKOR_URL }}" + required: true diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml index bbf59ae311..08ad133aab 100644 --- a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml @@ -3,10 +3,10 @@ kind: ClusterPolicy metadata: name: basic-sigstore-test-policy spec: - validationFailureAction: Enforce background: false - webhookTimeoutSeconds: 30 - failurePolicy: Fail + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Fail rules: - name: keyed-basic-rule match: @@ -31,3 +31,4 @@ spec: rekor: url: "{{ tufvalues.data.REKOR_URL }}" required: true + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/README.md b/test/conformance/chainsaw/deferred/dependencies-deprecated/README.md new file mode 100644 index 0000000000..a19b14626b --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks for handling of variable dependencies with deferred lookups + +## Expected Behavior + +The deployment should fail + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/7486 + diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/deferred/dependencies-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..6fdd52dc67 --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/chainsaw-test.yaml @@ -0,0 +1,20 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: dependencies +spec: + steps: + - name: step-01 + try: + - apply: + file: manifests.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: deploy.yaml diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/deploy.yaml b/test/conformance/chainsaw/deferred/dependencies-deprecated/deploy.yaml new file mode 100644 index 0000000000..c03b8fa60f --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/deploy.yaml @@ -0,0 +1,28 @@ + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: acme-fitness + labels: + app: kubecost-cost-analyzer +spec: + replicas: 3 + selector: + matchLabels: + app: kubecost-cost-analyzer + template: + metadata: + labels: + app: kubecost-cost-analyzer + spec: + containers: + - name: cost-model + image: nginx:1.14.2 + resources: + requests: + cpu: 350m + memory: 500Mi + limits: + memory: 2Gi diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/manifests.yaml b/test/conformance/chainsaw/deferred/dependencies-deprecated/manifests.yaml new file mode 100644 index 0000000000..ffdbf0a9af --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/manifests.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: acme-fitness +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-company-budget +spec: + validationFailureAction: Enforce + rules: + - name: check-kubecost-budget + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + context: + # Mocked response from the Kubecost prediction API until it natively supports JSON input. + # Get the predicted amount of the Deployment and transform to get the totalMonthlyRate. + - name: predictedcost + variable: + jmesPath: '[0].costChange.totalMonthlyRate' + value: + - namespace: acme-fitness + controllerKind: deployment + controllerName: test + costBefore: + totalMonthlyRate: 0 + cpuMonthlyRate: 0 + ramMonthlyRate: 0 + gpuMonthlyRate: 0 + monthlyCPUCoreHours: 0 + monthlyRAMByteHours: 0 + monthlyGPUHours: 0 + costAfter: + totalMonthlyRate: 28.839483652409793 + cpuMonthlyRate: 24.295976357646456 + ramMonthlyRate: 4.543507294763337 + gpuMonthlyRate: 0 + monthlyCPUCoreHours: 766.5 + monthlyRAMByteHours: 1.14819072e+12 + monthlyGPUHours: 0 + costChange: + totalMonthlyRate: 92.839483652409793 + cpuMonthlyRate: 24.295976357646456 + ramMonthlyRate: 4.543507294763337 + gpuMonthlyRate: 0 + monthlyCPUCoreHours: 766.5 + monthlyRAMByteHours: 1.14819072e+12 + monthlyGPUHours: 0 + - name: budget + variable: + value: + spendLimit: 100.0 + currentSpend: 73.0 + # Calculate the budget that remains from the window by subtracting the currentSpend from the spendLimit. + - name: remainingbudget + variable: + jmesPath: subtract(`{{budget.spendLimit}}`,`{{budget.currentSpend}}`) + validate: + # Need to improve this by rounding. + message: "This Deployment, which costs ${{ predictedcost }} to run for a month, will overrun the remaining budget of ${{ remainingbudget }}. Please seek approval." + deny: + conditions: + all: + - key: "{{ predictedcost }}" + operator: GreaterThan + value: "{{ remainingbudget }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/policy-assert.yaml b/test/conformance/chainsaw/deferred/dependencies-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..8ce29958ed --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-company-budget +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/deferred/dependencies/manifests.yaml b/test/conformance/chainsaw/deferred/dependencies/manifests.yaml index ffdbf0a9af..88fdb61da5 100644 --- a/test/conformance/chainsaw/deferred/dependencies/manifests.yaml +++ b/test/conformance/chainsaw/deferred/dependencies/manifests.yaml @@ -9,7 +9,6 @@ kind: ClusterPolicy metadata: name: enforce-company-budget spec: - validationFailureAction: Enforce rules: - name: check-kubecost-budget match: @@ -63,6 +62,7 @@ spec: variable: jmesPath: subtract(`{{budget.spendLimit}}`,`{{budget.currentSpend}}`) validate: + validationFailureAction: Enforce # Need to improve this by rounding. message: "This Deployment, which costs ${{ predictedcost }} to run for a month, will overrun the remaining budget of ${{ remainingbudget }}. Please seek approval." deny: diff --git a/test/conformance/chainsaw/deferred/foreach/manifests.yaml b/test/conformance/chainsaw/deferred/foreach/manifests.yaml index f298d56d7c..cae265a4e0 100644 --- a/test/conformance/chainsaw/deferred/foreach/manifests.yaml +++ b/test/conformance/chainsaw/deferred/foreach/manifests.yaml @@ -41,4 +41,3 @@ spec: - CREATE - UPDATE schemaValidation: false - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/deferred/recursive/policy.yaml b/test/conformance/chainsaw/deferred/recursive/policy.yaml index 4965a30bc4..72176cd3db 100644 --- a/test/conformance/chainsaw/deferred/recursive/policy.yaml +++ b/test/conformance/chainsaw/deferred/recursive/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: one spec: - validationFailureAction: Enforce rules: - name: one match: diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml index 7737635f08..a01028cd98 100644 --- a/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: one spec: - validationFailureAction: Enforce rules: - name: one match: diff --git a/test/conformance/chainsaw/deferred/two-rules/policy.yaml b/test/conformance/chainsaw/deferred/two-rules/policy.yaml index 592fbdc5d7..86963117c5 100644 --- a/test/conformance/chainsaw/deferred/two-rules/policy.yaml +++ b/test/conformance/chainsaw/deferred/two-rules/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: one spec: - validationFailureAction: Enforce rules: - name: one match: diff --git a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml index 3d6ea0ae68..f1fb10a77a 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml @@ -4,7 +4,6 @@ metadata: name: podsecurity-subrule-restricted spec: background: true - validationFailureAction: Audit rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/README.md b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/README.md new file mode 100644 index 0000000000..a5f5debf1b --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a policy, and a resource. +A `PolicyApplied` event should be created. + +## Steps + +1. - Create a policy + - Assert the policy becomes ready +1. - Create a resource +1. - Asset a `PolicyApplied` event is created diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..1ddc8e2f45 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-applied +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - assert: + file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/event-assert.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/event-assert.yaml new file mode 100644 index 0000000000..f66222be12 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/event-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: {} +involvedObject: + apiVersion: kyverno.io/v1 + kind: Policy + name: require-labels +type: Normal +reason: PolicyApplied +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy-assert.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..bc25d0fdf8 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy.yaml new file mode 100644 index 0000000000..9ba84f9f23 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/resource.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/resource.yaml new file mode 100644 index 0000000000..4777dd31fd --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/resource.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: foo + labels: + team: kyverno + \ No newline at end of file diff --git a/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml b/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml index 9ba84f9f23..ecc56be5c5 100644 --- a/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml +++ b/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/README.md b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/README.md new file mode 100644 index 0000000000..87b6fc1c04 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, and a resource. +The resource is expected to be rejected. +A `PolicyViolation` event should be created. + +## Steps + +1. - Create a policy + - Assert the policy becomes ready +1. - Try to create a resource, expecting the creation to fail +1. - Asset a `PolicyViolation` event is created diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..e1131f9b3e --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-violation +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: resource.yaml + - name: step-03 + try: + - assert: + file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/event-assert.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/event-assert.yaml new file mode 100644 index 0000000000..cc0c40b6d5 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/event-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: {} +involvedObject: + apiVersion: kyverno.io/v1 + kind: Policy + name: require-labels +type: Warning +reason: PolicyViolation +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy-assert.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy-assert.yaml new file mode 100644 index 0000000000..bc25d0fdf8 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy.yaml new file mode 100644 index 0000000000..9ba84f9f23 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/resource.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/resource.yaml new file mode 100644 index 0000000000..2a4a424bcb --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: foo diff --git a/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml b/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml index 9ba84f9f23..ecc56be5c5 100644 --- a/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml +++ b/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml index 7e9c5d923d..fbd58e6205 100644 --- a/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml index c69706f2db..f11840f37b 100644 --- a/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: psa spec: - validationFailureAction: Enforce background: true rules: - name: restricted @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: v1.25 diff --git a/test/conformance/chainsaw/exceptions/conditions/policy.yaml b/test/conformance/chainsaw/exceptions/conditions/policy.yaml index 2e66ed1429..e80f7806ce 100644 --- a/test/conformance/chainsaw/exceptions/conditions/policy.yaml +++ b/test/conformance/chainsaw/exceptions/conditions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: max-containers spec: - validationFailureAction: Enforce background: false rules: - name: max-two-containers @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: "A maximum of 2 containers are allowed inside a Pod." deny: conditions: diff --git a/test/conformance/chainsaw/exceptions/events-creation/policy.yaml b/test/conformance/chainsaw/exceptions/events-creation/policy.yaml index bad86e81b3..ffc0f0b639 100644 --- a/test/conformance/chainsaw/exceptions/events-creation/policy.yaml +++ b/test/conformance/chainsaw/exceptions/events-creation/policy.yaml @@ -23,9 +23,9 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: An image tag is required (:latest is not allowed) pattern: spec: containers: - image: '!*:latest & *:*' - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml index 70dfebfda1..3e53fb4a66 100644 --- a/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa-1 spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml index 8bf4dedbe8..d30e5216d5 100644 --- a/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa-3 spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml index f8614b068e..8480491699 100644 --- a/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa-2 spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml index 863539b590..17ddd65449 100644 --- a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml index 8220f00568..d7381d289a 100644 --- a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml index 863539b590..17ddd65449 100644 --- a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml index 8220f00568..d7381d289a 100644 --- a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml index 8220f00568..d7381d289a 100644 --- a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml index 8220f00568..d7381d289a 100644 --- a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml index 8220f00568..d7381d289a 100644 --- a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml index 863539b590..17ddd65449 100644 --- a/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml index 863539b590..17ddd65449 100644 --- a/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml index 863539b590..17ddd65449 100644 --- a/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml index 8220f00568..d7381d289a 100644 --- a/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml index 2e66ed1429..e80f7806ce 100644 --- a/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: max-containers spec: - validationFailureAction: Enforce background: false rules: - name: max-two-containers @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: "A maximum of 2 containers are allowed inside a Pod." deny: conditions: diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml index 7e9c5d923d..fbd58e6205 100644 --- a/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml index a8140c18c8..7fb8105163 100644 --- a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml @@ -6,7 +6,6 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -17,6 +16,7 @@ spec: namespaces: - default validate: + validationFailureAction: Enforce podSecurity: level: restricted version: v1.29 diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml index 7e9c5d923d..fbd58e6205 100644 --- a/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml index 172b3a2037..23661cb3a5 100644 --- a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -19,4 +18,5 @@ spec: name: kyverno namespace: kyverno validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml index 5a780f0b21..70c4330bcd 100644 --- a/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -19,4 +18,5 @@ spec: name: '?*' namespace: '?*' validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml index 3f258d6215..6086efceb8 100644 --- a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -18,4 +17,5 @@ spec: - kind: User name: not-kubernetes-admin validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml index 6dbdc24a99..050284adcc 100644 --- a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -18,4 +17,5 @@ spec: - kind: User name: kubernetes-admin validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml index 5320014c97..a4aec00711 100644 --- a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -18,4 +17,5 @@ spec: - kind: User name: not-?* validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml index b92e77c337..940a88e7a5 100644 --- a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -18,4 +17,5 @@ spec: - kind: User name: '?*' validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml index 4968d662ca..77f4c46db1 100644 --- a/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -17,4 +16,5 @@ spec: name: kyverno namespace: kyverno validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml b/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml index cfe930ca08..aacfdfcc62 100644 --- a/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -17,4 +16,5 @@ spec: name: '?*' namespace: '?*' validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml index 5a269a41b6..7f8fa49c81 100644 --- a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -16,4 +15,5 @@ spec: - kind: User name: kubernetes-admin validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml index d4f8b61e2a..58e85612a9 100644 --- a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -16,4 +15,5 @@ spec: - kind: User name: not-kubernetes-admin validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml index 391727e652..8cf931a8f8 100644 --- a/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -16,4 +15,5 @@ spec: - kind: User name: '?*' validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml index 5cc4323566..55652de5aa 100644 --- a/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -16,4 +15,5 @@ spec: - kind: User name: not-?* validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml b/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml index 9ba84f9f23..ecc56be5c5 100644 --- a/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml +++ b/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml index 79d3bec1fb..1f71eb0fb5 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml @@ -6,7 +6,6 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none spec: failurePolicy: Fail - validationFailureAction: Enforce background: false rules: - name: require-team @@ -16,6 +15,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: @@ -28,7 +28,6 @@ metadata: name: add-labels spec: failurePolicy: Fail - validationFailureAction: Enforce background: false rules: - name: add-labels diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml index ad83cf9b6e..5406032e7d 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: @@ -28,7 +28,6 @@ kind: ClusterPolicy metadata: name: add-labels spec: - validationFailureAction: Enforce background: false rules: - name: add-labels diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml index c5b4a5dcf9..34e2259a6f 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-ephemeral-containers spec: - validationFailureAction: Enforce background: true rules: - name: block-ephemeral-containers @@ -16,6 +15,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce cel: expressions: - expression: "!has(object.spec.ephemeralContainers)" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml index 65f78e9b8c..4f22c42d51 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t9 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -20,6 +19,7 @@ spec: matchLabels: app: critical validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml index 19387d48fb..8de553d9dc 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t16 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml index 97904eed4b..a356e7fcaa 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t14 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -29,6 +28,7 @@ spec: names: - "testing" validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml index 893891a1dd..7e2a13086b 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t15 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -29,6 +28,7 @@ spec: names: - "testing" validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml index 1c7b71926e..c5bddb037d 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t13 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -29,6 +28,7 @@ spec: names: - "testing" validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml index e8115feafa..739e55ca82 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t8 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -34,6 +33,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml index 2c3dc0e456..46ba297cbd 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t7 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -25,6 +24,7 @@ spec: values: - connector validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml index bd9e09e469..6045d43043 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app-4 spec: - validationFailureAction: Audit rules: - name: check-label-app match: @@ -18,6 +17,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml index cae60e9593..77febe5d78 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app5 spec: - validationFailureAction: Audit background: false rules: - name: check-label-app @@ -25,6 +24,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml index 7c5dcafcfd..cc4e8b5474 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app4 spec: - validationFailureAction: Audit background: false rules: - name: check-label-app @@ -16,6 +15,7 @@ spec: - production - staging validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml index 01665b6be1..193c0e113c 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t4 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -18,6 +17,7 @@ spec: - production - staging validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml index f89223ce60..8ff720b0cc 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t12 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -27,6 +26,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml index 9f96709d9f..74287f4cf4 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t13 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -24,6 +23,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml index 98771ef599..f0f505019e 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app-3 spec: - validationFailureAction: Audit rules: - name: check-label-app match: @@ -15,6 +14,7 @@ spec: - "prod-*" - "staging" validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml index a7f82795ef..fc6629d9d2 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app-5 spec: - validationFailureAction: Audit rules: - name: check-label-app match: @@ -15,6 +14,7 @@ spec: - "prod-*" - "staging" validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml index 3a0b12028e..217bacbf46 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t1 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -33,6 +32,7 @@ spec: values: - compute validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml index ba70f77d78..918c37a204 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t2 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -27,6 +26,7 @@ spec: matchLabels: app: normal validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml index 3628adb120..aa18a92659 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t17 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -27,6 +26,7 @@ spec: - testing-ns - staging-ns validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml index e1b5129be2..c4e00860cd 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t10 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -30,6 +29,7 @@ spec: values: - connector validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml index 5c3c08affd..3f08041457 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app2 spec: - validationFailureAction: Audit rules: - name: check-label-app match: @@ -20,6 +19,7 @@ spec: matchLabels: app: critical validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml index e477a4381e..990d96339b 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app1 spec: - validationFailureAction: Audit background: false rules: - name: check-label-app @@ -20,6 +19,7 @@ spec: - kind: User name: John validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml index c1fa1a95b6..98b387d8aa 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t3 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -21,6 +20,7 @@ spec: clusterRoles: - cluster-admin validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml index d5dd4e4b1a..9c6f3fe791 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t5 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -17,6 +16,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml index 9da54abdf3..d27c9ee0ed 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t6 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -26,6 +25,7 @@ spec: names: - app validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml index 200aec435c..f567d67347 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml @@ -3,14 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app spec: - validationFailureAction: Audit - validationFailureActionOverrides: - - action: Enforce - namespaces: - - default - - action: Audit - namespaces: - - test rules: - name: check-label-app match: @@ -19,6 +11,14 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit + validationFailureActionOverrides: + - action: Enforce + namespaces: + - default + - action: Audit + namespaces: + - test cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml index 7429ec4cf1..727e20dc17 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-ns-purpose-label spec: - validationFailureAction: Enforce rules: - name: require-ns-purpose-label match: @@ -12,6 +11,7 @@ spec: kinds: - Namespace validate: + validationFailureAction: Enforce message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml index ad47622478..28b993b06d 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml @@ -3,11 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app1 spec: - validationFailureAction: Audit - validationFailureActionOverrides: - - action: Enforce - namespaces: - - default rules: - name: check-label-app match: @@ -16,6 +11,11 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit + validationFailureActionOverrides: + - action: Enforce + namespaces: + - default message: "The label `app` is required." pattern: metadata: diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/policy.yaml index 8c4e3a2582..9968b557e6 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t11 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -20,6 +19,7 @@ spec: matchLabels: app: critical validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml index 31c1c8adf2..4b9f45cdeb 100755 --- a/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-apicall-correct spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml index bce134a389..8d892bda14 100755 --- a/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-gctxentry-not-exist spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml index da32709a9e..68354b6357 100755 --- a/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-not-ready spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml index ec2126c4f5..bc0011f2c0 100755 --- a/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-resource-correct spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml index f2ea647526..09d25573ee 100755 --- a/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-gctx-validate-reference spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -24,6 +23,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml index d94cbeb7f8..8cf1391610 100644 --- a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml +++ b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml @@ -4,7 +4,6 @@ metadata: name: mutate-chain spec: background: false - validationFailureAction: Enforce rules: - name: mutation1 match: diff --git a/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml b/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml index 69baa7b93b..922e47ec72 100644 --- a/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml +++ b/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml @@ -4,7 +4,6 @@ metadata: name: mutate-chain spec: background: false - validationFailureAction: Enforce rules: - name: mutation1 match: diff --git a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml index 11d393a9c8..0aa5b47336 100644 --- a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml +++ b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml @@ -4,7 +4,6 @@ metadata: name: mutate-chain spec: background: false - validationFailureAction: Enforce rules: - name: mutation1 match: diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/chainsaw-step-01-apply-1-1.yaml index fc8832cc83..1558296ba2 100755 --- a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/chainsaw-step-01-apply-1-1.yaml @@ -20,4 +20,3 @@ spec: labels: foo: bar name: add-labels - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/chainsaw-step-02-apply-1-1.yaml index c3fd83da31..807ef2aafd 100755 --- a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/chainsaw-step-02-apply-1-1.yaml +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/chainsaw-step-02-apply-1-1.yaml @@ -32,4 +32,3 @@ spec: value: - CREATE - UPDATE - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml index c81b03bebc..054ecb9880 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: generate spec: - validationFailureAction: Audit admission: false background: true rules: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml index c32a42c751..37cd9ee095 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml @@ -21,4 +21,3 @@ spec: labels: foo: bar name: mutate - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml index 49e9184d56..5a5b1b122b 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate spec: - validationFailureAction: Audit admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml index 84169ccd46..d797d5bc11 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: verify-image spec: - validationFailureAction: Audit admission: false background: true rules: @@ -14,7 +13,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Audit + imageReferences: - "ghcr.io/kyverno/test-verify-image:*" attestors: - entries: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml index 0370eaa4f7..26703a717f 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: all-disabled spec: - validationFailureAction: Audit admission: false background: false rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml index 1e105b2f9b..a06e1790a9 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Scale validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml index ee896b4535..45434a4b2d 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod/scale validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml index 42f110e636..8ecde3c0e2 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod/* validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml index 1636a5b6ba..dda595fcb0 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - '*/*' validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml index 0ba57c663b..832a0f11a3 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - '*/status' validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml index 3d67a52e6f..8ab96974fc 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: background-variables-update spec: - validationFailureAction: Audit background: true rules: - name: ns-vars-userinfo @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml index 90e89fba89..995abd40eb 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: background-variables-update spec: - validationFailureAction: Audit background: false rules: - name: ns-vars-userinfo @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml index 1cddc15c9d..e11c052e64 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny-secret-service-account-token spec: - validationFailureAction: Enforce background: true rules: - name: check-service-account-token @@ -13,6 +12,7 @@ spec: kinds: - Secret validate: + validationFailureAction: Enforce cel: expressions: - message: "long lived API tokens are not allowed" diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml index dc764e125b..92fd8bd417 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-deployment-replicas spec: - validationFailureAction: Enforce background: true rules: - name: check-deployment-replicas @@ -13,6 +12,7 @@ spec: kinds: - Deployment validate: + validationFailureAction: Enforce cel: expressions: - expression: "object.replicas > 1" # should be "object.spec.replicas > 1" diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml index deab31c588..2c0a59573f 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml @@ -14,6 +14,7 @@ spec: - Pod name: test-not-in validate: + validationFailureAction: Enforce deny: conditions: any: @@ -23,4 +24,3 @@ spec: value: - busybox - busybox1 - validationFailureAction: Enforce \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml index ab71537665..2ab30eaee7 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml @@ -14,6 +14,7 @@ spec: - Pod name: test-invalid validate: + validationFailureAction: Enforce deny: conditions: any: @@ -23,4 +24,3 @@ spec: value: - busybox - busybox1 - validationFailureAction: Enforce \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml index 81d411c59f..8648e1c0e0 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml @@ -4,7 +4,6 @@ metadata: name: psa-1 spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml index a69449e485..0976458856 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml @@ -4,7 +4,6 @@ metadata: name: psa-2 spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml index 2c73d95718..0235e29ebe 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit webhookTimeoutSeconds: -1 rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml index c7510ba423..69eba343d7 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit webhookTimeoutSeconds: 31 rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml index 3f48c1eb06..7061887c51 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit rules: - name: deny match: @@ -12,6 +11,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} webhookConfiguration: timeoutSeconds: -1 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml index 11a0a39da1..d320e00d98 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit rules: - name: deny match: @@ -12,6 +11,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} webhookConfiguration: timeoutSeconds: 31 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml index f69ca35c45..b14f32e885 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-app-label spec: - validationFailureAction: Enforce background: false rules: - name: require-app-label @@ -14,6 +13,7 @@ spec: - Pod - Deployment validate: + validationFailureAction: Enforce message: Pod must include the 'app=my-app' label pattern: metadata: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/chainsaw-step-01-apply-1.yaml index 61ca7890c7..093577340c 100755 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/chainsaw-step-01-apply-1.yaml @@ -38,4 +38,3 @@ spec: - key: '{{ request.object.spec.scope }}' operator: Equals value: Namespaced - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml index 1904697dc9..bfd61ec25e 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml @@ -6,7 +6,6 @@ metadata: policies.kyverno.io/title: Inject vault init Container spec: background: false - validationFailureAction: Audit rules: - name: inject-vault-sidecar match: diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml index d12a8e299b..3046756490 100644 --- a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml @@ -22,4 +22,3 @@ spec: labels: foo: bar name: mutate - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml index 8a334b28d6..b8a4fc6c5f 100644 --- a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: validate spec: - validationFailureAction: Audit admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml index 10f32ee1e1..532c65b17e 100644 --- a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: verify-image spec: - validationFailureAction: Audit admission: false background: true rules: @@ -14,7 +13,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Audit + imageReferences: - "ghcr.io/kyverno/test-verify-image:*" attestors: - entries: diff --git a/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml index 207a93769b..5d975e9e32 100644 --- a/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: all-disabled spec: - validationFailureAction: Audit admission: false background: false rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml index 34b13f1639..4691296bf6 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Scale validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml index 8be60c2d65..541eb45edf 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod/scale validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml index 1a30fa8798..9d027cbc45 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod/* validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml index ca34bbbf1d..e311f15fb8 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - '*/*' validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml index 33e9a6611b..333c711ffa 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - '*/status' validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml index 87d62b44d9..bddc817a9d 100644 --- a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit webhookTimeoutSeconds: -1 rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml index 3200c841f2..ddd8d604c8 100644 --- a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit webhookTimeoutSeconds: 31 rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/rangeoperators/standard/policy.yaml b/test/conformance/chainsaw/rangeoperators/standard/policy.yaml index 488b2f9023..c7d0abd79d 100644 --- a/test/conformance/chainsaw/rangeoperators/standard/policy.yaml +++ b/test/conformance/chainsaw/rangeoperators/standard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-value spec: - validationFailureAction: Enforce rules: - name: check-value match: @@ -12,6 +11,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: "All data values must be in the specified range." pattern: data: diff --git a/test/conformance/chainsaw/reports/admission/exception/policy.yaml b/test/conformance/chainsaw/reports/admission/exception/policy.yaml index 401eadbcf5..fb7a312720 100644 --- a/test/conformance/chainsaw/reports/admission/exception/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/exception/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce background: true rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml index 16f853fdeb..e842dd0fb7 100644 --- a/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml @@ -7,7 +7,6 @@ metadata: spec: background: false mutateExistingOnPolicyUpdate: false - validationFailureAction: Audit rules: - name: test-audit-reports-namespacesselector match: @@ -20,6 +19,7 @@ spec: - key: org operator: Exists validate: + validationFailureAction: Audit pattern: metadata: annotations: diff --git a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml index 4443bd68be..f31c092067 100755 --- a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml @@ -12,9 +12,9 @@ spec: - Namespace name: check-owner validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: labels: owner: ?* - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/README.md b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/README.md new file mode 100644 index 0000000000..5f5ca4c5b3 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/README.md @@ -0,0 +1,23 @@ +## Description + +This test ensures that a policy with two rules with different modes is applied correctly on resources and reports are successfully created. + +## Expected Behavior + +1. Create a policy that has two rules: + - The first rule is `require-ns-purpose-label` in the `Enforce` mode that requires the `purpose` label to be set on namespaces. + - The second rule is `require-ns-env-label` in the `Audit` mode that requires the `environment` field to be set on namespaces. + +2. Create a `good-ns-1` namespace that has the `purpose` label. It is expected that the namespace will be created successfully. + +3. Create a `good-ns-2` namespace that has both the `purpose` and `environment` labels. It is expected that the namespace will be created successfully. + +4. Create a `bad-ns-1` namespace that doesn't have the `purpose` label. It is expected that the namespace will be blocked with a message reporting the violation of the `require-ns-purpose-label` rule. + +5. Create a `bad-ns-2` namespace that doesn't have any labels. It is expected that the namespace will be blocked with messages reporting the violations of both rules. + +6. Two ClusterPolicyReports will be created for each of the `good-ns-1` and `good-ns-2` namespaces. + +## Reference Issue(s) + +#10682 diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/bad-resources.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/bad-resources.yaml new file mode 100644 index 0000000000..8284996c73 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/bad-resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-1 + labels: + environment: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/chainsaw-test.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/chainsaw-test.yaml new file mode 100644 index 0000000000..c2695c338e --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: two-rules-with-different-modes +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: good-resources.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-resources.yaml + - name: step-04 + try: + - sleep: + duration: 5s + - name: step-05 + try: + - assert: + file: reports-assert.yaml + - error: + file: reports-error.yaml diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/good-resources.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/good-resources.yaml new file mode 100644 index 0000000000..487bdbed17 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/good-resources.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-1 + labels: + purpose: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-2 + labels: + purpose: production + environment: production diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy-assert.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy-assert.yaml new file mode 100644 index 0000000000..3d14b530d7 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml new file mode 100644 index 0000000000..0706a5b3dd --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +spec: + rules: + - name: require-ns-purpose-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Enforce + message: "You must have label `purpose` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + purpose: production + - name: require-ns-env-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Audit + message: "You must have label `environment` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + environment: production diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-assert.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-assert.yaml new file mode 100644 index 0000000000..e74e9b1c42 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-assert.yaml @@ -0,0 +1,66 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: good-ns-1 +results: +- message: 'validation error: You must have label `environment` with value `production` + set on all new namespaces. rule require-ns-env-label failed at path /metadata/labels/environment/' + policy: check-ns-labels + result: fail + rule: require-ns-env-label + scored: true + source: kyverno +- message: validation rule 'require-ns-purpose-label' passed. + policy: check-ns-labels + result: pass + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: good-ns-1 +summary: + error: 0 + fail: 1 + pass: 1 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: good-ns-2 +results: +- message: validation rule 'require-ns-env-label' passed. + policy: check-ns-labels + result: pass + rule: require-ns-env-label + scored: true + source: kyverno +- message: validation rule 'require-ns-purpose-label' passed. + policy: check-ns-labels + result: pass + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: good-ns-2 +summary: + error: 0 + fail: 0 + pass: 2 + skip: 0 + warn: 0 diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-error.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-error.yaml new file mode 100644 index 0000000000..4e4e1b87dd --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-error.yaml @@ -0,0 +1,15 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: bad-ns-1 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: bad-ns-2 diff --git a/test/conformance/chainsaw/reports/admission/update/policy.yaml b/test/conformance/chainsaw/reports/admission/update/policy.yaml index e296c0d44a..7045fdb916 100644 --- a/test/conformance/chainsaw/reports/admission/update/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/update/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit background: true rules: - name: validate-image-tag-pod @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: "Using a mutable image tag e.g. 'latest' is not allowed." pattern: spec: diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml index 04610644da..cf0ea015f0 100644 --- a/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-deployment-replicas spec: - validationFailureAction: Enforce background: true rules: - name: check-deployment-replicas @@ -13,6 +12,7 @@ spec: kinds: - Deployment validate: + validationFailureAction: Enforce message: "Deployment should have at most 1 replica" deny: conditions: diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml index e2db6ec9b0..9042705636 100644 --- a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml @@ -6,7 +6,6 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -15,6 +14,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/reports/background/exception/policy.yaml b/test/conformance/chainsaw/reports/background/exception/policy.yaml index 3fcd7b2fe5..f7602782bb 100644 --- a/test/conformance/chainsaw/reports/background/exception/policy.yaml +++ b/test/conformance/chainsaw/reports/background/exception/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,6 +13,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml b/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml index a823bc1720..4cede2a123 100644 --- a/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml +++ b/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml @@ -13,7 +13,7 @@ spec: - Pod name: restricted validate: + validationFailureAction: Audit podSecurity: level: restricted version: latest - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml index f1332d1189..58d9e83ff0 100644 --- a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml @@ -12,10 +12,10 @@ spec: - Pod name: restricted validate: + validationFailureAction: Audit podSecurity: level: restricted version: latest - validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml index 074dd3e883..67776cbd45 100644 --- a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml @@ -18,7 +18,6 @@ metadata: restricted profile through the latest version of the Pod Security Standards cluster wide. spec: background: true - validationFailureAction: Audit rules: - name: restricted match: @@ -27,6 +26,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit podSecurity: level: restricted version: latest \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/README.md b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/README.md new file mode 100644 index 0000000000..9307737189 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/README.md @@ -0,0 +1,23 @@ +## Description + +This test ensures that reports are generated as a result of background scanning when a policy with two rules with different modes is applied on resources. + +## Expected Behavior + +1. Create a `good-ns-1` namespace that has the `purpose` label. + +2. Create a `good-ns-2` namespace that has both the `purpose` and `environment` labels. + +3. Create a `bad-ns-1` namespace that doesn't have the `purpose` label. + +4. Create a `bad-ns-2` namespace that doesn't have any labels. + +5. Create a policy that has two rules: + - The first rule is `require-ns-purpose-label` in the `Enforce` mode that requires the `purpose` label to be set on namespaces. + - The second rule is `require-ns-env-label` in the `Audit` mode that requires the `environment` field to be set on namespaces. + +6. Four ClusterPolicyReports will be created for each of the `good-ns-1`, `good-ns-2`, `bad-ns-1`, and `bad-ns-2` namespaces. + +## Reference Issue(s) + +#10682 diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/bad-resources.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/bad-resources.yaml new file mode 100644 index 0000000000..8284996c73 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/bad-resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-1 + labels: + environment: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/chainsaw-test.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/chainsaw-test.yaml new file mode 100644 index 0000000000..12232dc331 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: two-rules-with-different-modes +spec: + steps: + - name: step-01 + try: + - apply: + file: good-resources.yaml + - name: step-02 + try: + - apply: + file: bad-resources.yaml + - name: step-03 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-04 + try: + - sleep: + duration: 10s + - name: step-05 + try: + - assert: + file: reports-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/good-resources.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/good-resources.yaml new file mode 100644 index 0000000000..487bdbed17 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/good-resources.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-1 + labels: + purpose: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-2 + labels: + purpose: production + environment: production diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy-assert.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy-assert.yaml new file mode 100644 index 0000000000..3d14b530d7 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml new file mode 100644 index 0000000000..0706a5b3dd --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +spec: + rules: + - name: require-ns-purpose-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Enforce + message: "You must have label `purpose` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + purpose: production + - name: require-ns-env-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Audit + message: "You must have label `environment` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + environment: production diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/reports-assert.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/reports-assert.yaml new file mode 100644 index 0000000000..b2c44435b1 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/reports-assert.yaml @@ -0,0 +1,123 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: good-ns-1 +results: +- policy: check-ns-labels + result: fail + rule: require-ns-env-label + scored: true + source: kyverno +- policy: check-ns-labels + result: pass + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: good-ns-1 +summary: + error: 0 + fail: 1 + pass: 1 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: good-ns-2 +results: +- policy: check-ns-labels + result: pass + rule: require-ns-env-label + scored: true + source: kyverno +- policy: check-ns-labels + result: pass + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: good-ns-2 +summary: + error: 0 + fail: 0 + pass: 2 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: bad-ns-1 +results: +- policy: check-ns-labels + result: pass + rule: require-ns-env-label + scored: true + source: kyverno +- policy: check-ns-labels + result: fail + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: bad-ns-1 +summary: + error: 0 + fail: 1 + pass: 1 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: bad-ns-2 +results: +- policy: check-ns-labels + result: fail + rule: require-ns-env-label + scored: true + source: kyverno +- policy: check-ns-labels + result: fail + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: bad-ns-2 +summary: + error: 0 + fail: 2 + pass: 0 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml index 3831d9ced5..ba04cc6f5c 100644 --- a/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: keyed-basic-policy spec: - validationFailureAction: Audit background: true webhookTimeoutSeconds: 30 rules: @@ -14,7 +13,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Audit + imageReferences: - ghcr.io/kyverno/test-verify-image:* verifyDigest: false mutateDigest: false diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml index a0c6b904c8..0c15e58bde 100644 --- a/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: keyed-basic-policy spec: - validationFailureAction: Audit background: true webhookTimeoutSeconds: 30 rules: @@ -14,7 +13,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Audit + imageReferences: - ghcr.io/kyverno/test-verify-image:* verifyDigest: false mutateDigest: false diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/README.md new file mode 100644 index 0000000000..2a7544c821 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/README.md @@ -0,0 +1,21 @@ +## Description + +This test ensures that a policy with two rules; one of which doesn't specify the `ValidationFailureAction` field, and the other specifies the `ValidationFailureAction` field, works as expected. The rule which don't specify the action should use the default action in `spec.ValidationFailureAction`. + +## Expected Behavior + +1. Create a policy that has two rules: + - The first rule is `require-ns-purpose-label` in the `Enforce` mode that requires the `purpose` label to be set on namespaces. + - The second rule is `require-ns-env-label` requires the `environment` field to be set on namespaces and doesn't specify the `ValidationFailureAction` field. + +2. Create a `good-ns-1` namespace that has the `purpose` label. It is expected that the namespace will be created successfully. + +3. Create a `good-ns-2` namespace that has both the `purpose` and `environment` labels. It is expected that the namespace will be created successfully. + +4. Create a `bad-ns-1` namespace that doesn't have the `purpose` label. It is expected that the namespace will be blocked with a message reporting the violation of the `require-ns-purpose-label` rule. + +5. Create a `bad-ns-2` namespace that doesn't have any labels. It is expected that the namespace will be blocked with messages reporting the violations of both rules. + +## Reference Issue(s) + +#10682 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/bad-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/bad-resources.yaml new file mode 100644 index 0000000000..8284996c73 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/bad-resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-1 + labels: + environment: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/chainsaw-test.yaml new file mode 100644 index 0000000000..32fb2f26a2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-configuration-for-actions +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: good-resources.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/good-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/good-resources.yaml new file mode 100644 index 0000000000..487bdbed17 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/good-resources.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-1 + labels: + purpose: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-2 + labels: + purpose: production + environment: production diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy-assert.yaml new file mode 100644 index 0000000000..3d14b530d7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml new file mode 100644 index 0000000000..bebcb945a3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +spec: + validationFailureAction: Audit + rules: + - name: require-ns-purpose-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Enforce + message: "You must have label `purpose` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + purpose: production + - name: require-ns-env-label + match: + any: + - resources: + kinds: + - Namespace + validate: + message: "You must have label `environment` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + environment: production diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml index a8140c18c8..7fb8105163 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml @@ -6,7 +6,6 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -17,6 +16,7 @@ spec: namespaces: - default validate: + validationFailureAction: Enforce podSecurity: level: restricted version: v1.29 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/README.md new file mode 100644 index 0000000000..43892dea23 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/README.md @@ -0,0 +1,21 @@ +## Description + +This test ensures that a policy with two rules with different modes is applied correctly on resources. + +## Expected Behavior + +1. Create a policy that has two rules: + - The first rule is `require-ns-purpose-label` in the `Enforce` mode that requires the `purpose` label to be set on namespaces. + - The second rule is `require-ns-env-label` in the `Audit` mode that requires the `environment` field to be set on namespaces. + +2. Create a `good-ns-1` namespace that has the `purpose` label. It is expected that the namespace will be created successfully. + +3. Create a `good-ns-2` namespace that has both the `purpose` and `environment` labels. It is expected that the namespace will be created successfully. + +4. Create a `bad-ns-1` namespace that doesn't have the `purpose` label. It is expected that the namespace will be blocked with a message reporting the violation of the `require-ns-purpose-label` rule. + +5. Create a `bad-ns-2` namespace that doesn't have any labels. It is expected that the namespace will be blocked with messages reporting the violations of both rules. + +## Reference Issue(s) + +#10682 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/bad-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/bad-resources.yaml new file mode 100644 index 0000000000..8284996c73 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/bad-resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-1 + labels: + environment: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/chainsaw-test.yaml new file mode 100644 index 0000000000..f5c34cbf49 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/chainsaw-test.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: two-rules-with-different-action +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: good-resources.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-resources.yaml + - name: step-04 + try: + - assert: + file: events-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/events-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/events-assert.yaml new file mode 100644 index 0000000000..033ad9e418 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/events-assert.yaml @@ -0,0 +1,77 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-ns-labels +message: 'Namespace good-ns-1: [require-ns-env-label] fail; validation error: You + must have label `environment` with value `production` set on all new namespaces. + rule require-ns-env-label failed at path /metadata/labels/environment/' +reason: PolicyViolation +related: + apiVersion: v1 + kind: Namespace + name: good-ns-1 +reportingComponent: kyverno-admission +type: Warning +action: Resource Passed +--- +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-ns-labels +message: 'Namespace good-ns-2: pass' +reason: PolicyApplied +related: + apiVersion: v1 + kind: Namespace + name: good-ns-2 +reportingComponent: kyverno-admission +type: Normal +action: Resource Passed +--- +apiVersion: v1 +kind: Event +metadata: + namespace: default +message: 'Namespace bad-ns-1: [require-ns-purpose-label] fail (blocked); validation + error: You must have label `purpose` with value `production` set on all new namespaces. + rule require-ns-purpose-label failed at path /metadata/labels/purpose/' +reason: PolicyViolation +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-ns-labels +related: + apiVersion: v1 + kind: Namespace + name: bad-ns-1 +reportingComponent: kyverno-admission +type: Warning +action: Resource Blocked +--- +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-ns-labels +message: 'Namespace bad-ns-2: [require-ns-purpose-label] fail (blocked); validation + error: You must have label `purpose` with value `production` set on all new namespaces. + rule require-ns-purpose-label failed at path /metadata/labels/purpose/' +reason: PolicyViolation +related: + apiVersion: v1 + kind: Namespace + name: bad-ns-2 +reportingComponent: kyverno-admission +type: Warning +action: Resource Blocked diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/good-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/good-resources.yaml new file mode 100644 index 0000000000..487bdbed17 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/good-resources.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-1 + labels: + purpose: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-2 + labels: + purpose: production + environment: production diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy-assert.yaml new file mode 100644 index 0000000000..3d14b530d7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml new file mode 100644 index 0000000000..0706a5b3dd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +spec: + rules: + - name: require-ns-purpose-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Enforce + message: "You must have label `purpose` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + purpose: production + - name: require-ns-env-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Audit + message: "You must have label `environment` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + environment: production diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml index 6f0075b777..027cd88fd7 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: restrict-operations-on-pod spec: - validationFailureAction: Enforce background: true rules: - name: rule-1 @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce cel: expressions: - expression: "false" diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml index b0a27bf77d..1123785487 100644 --- a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate-yaml spec: - validationFailureAction: Enforce background: false rules: - name: validate-yaml @@ -13,6 +12,7 @@ spec: kinds: - Service validate: + validationFailureAction: Enforce manifests: attestors: - entries: diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml index 755b343c29..f670b248ee 100644 --- a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate-yaml spec: - validationFailureAction: Enforce background: false rules: - name: validate-yaml @@ -13,6 +12,7 @@ spec: kinds: - Service validate: + validationFailureAction: Enforce manifests: attestors: - count: 1 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml index 53b79ca173..f710f0d678 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml @@ -33,6 +33,7 @@ spec: mutateDigest: true required: true verifyDigest: true + validationFailureAction: Enforce - match: any: - resources: @@ -59,5 +60,5 @@ spec: mutateDigest: false required: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml index d361ec52cc..d25a23bafb 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml @@ -32,4 +32,4 @@ spec: verifyImages: - image: '*' key: '{{ keys.data.org }}' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml index 1d64382014..290d302bf0 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml @@ -35,5 +35,5 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml index 2b70672960..09c10a0cf0 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml @@ -33,5 +33,5 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true - validationFailureAction: Audit + validationFailureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml index 10a3818996..1fd9619da0 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml @@ -32,7 +32,7 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true - validationFailureAction: Audit + validationFailureAction: Audit webhookConfiguration: timeoutSeconds: 30 failurePolicy: Ignore diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml index b5e0e3fc41..297f6abd04 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml @@ -38,5 +38,5 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml index a0d1272bb1..32e4143504 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml @@ -32,4 +32,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml index b45ba79cb9..ade1c0c0fa 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml @@ -29,4 +29,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml index 2e89d77ee3..a8d05d48cc 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml @@ -29,4 +29,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml index 942cc6a542..c6c8040c5a 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml @@ -32,5 +32,5 @@ spec: url: https://rekor.sigstore.dev imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml index 727c09b992..a4fefc67bd 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml @@ -26,5 +26,5 @@ spec: url: https://rekor.sigstore.dev imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml index 6b92c397bd..5f39ff9cc5 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml @@ -27,5 +27,5 @@ spec: imageReferences: - ghcr.io/kyverno/test-verify-image:* cosignOCI11: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml index 3ac61b2c92..093e05501e 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml @@ -24,5 +24,5 @@ spec: namespace: test-verify-images imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml index ca1f24ce90..7e6de3d289 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml @@ -70,5 +70,5 @@ spec: -----END CERTIFICATE----- imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml index 8d65e30c39..5f1a1f046c 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml @@ -6,7 +6,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 background: false rules: @@ -17,7 +16,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Enforce + imageReferences: - "ghcr.io/chipzoller/zulu*" attestations: - type: https://slsa.dev/provenance/v0.2 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml index f74d62ee3e..556dd79837 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml @@ -33,5 +33,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml index 5fffbaf808..84fbaaa191 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml @@ -33,5 +33,5 @@ spec: predicateType: cosign.sigstore.dev/attestation/vuln/v1 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml index b820b47535..24507344a3 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml @@ -33,5 +33,5 @@ spec: predicateType: cosign.sigstore.dev/attestation/vuln/v1 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml index cf3307f818..4b3ebbe47b 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml @@ -24,4 +24,4 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml index 05dfa87385..a938c04972 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml @@ -41,5 +41,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml index a0d23659dd..e74fc35f06 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml @@ -41,5 +41,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml index 6918b9e0cc..e8e6896d04 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml @@ -40,5 +40,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml index 450d4c7034..87ea8d8d6a 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml @@ -6,7 +6,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 background: false rules: @@ -17,7 +16,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Enforce + imageReferences: - "ghcr.io/chipzoller/zulu:*" attestors: - count: 1 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml index 64ab6c3f3c..2e8ecfa4f0 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml @@ -25,5 +25,5 @@ spec: mutateDigest: true required: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml index c64414d589..11666a4f0b 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml @@ -25,5 +25,5 @@ spec: mutateDigest: false required: false verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml index 661d6f37e4..ceae286036 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml @@ -25,5 +25,5 @@ spec: mutateDigest: false required: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml index ad51cf2127..70e90579c7 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml @@ -16,5 +16,5 @@ spec: mutateDigest: true required: false verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml index f2180b171a..07c493fee3 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml @@ -28,5 +28,5 @@ spec: - entries: - keys: publicKeys: '{{myconfigmap.data.configmapkey}}' - validationFailureAction: Audit + validationFailureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml index ac01c744bb..20e86fc643 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml @@ -28,5 +28,5 @@ spec: - entries: - keys: publicKeys: '{{myconfigmap1.data.configmapkey}}' - validationFailureAction: Audit + validationFailureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml index b0431c4fde..fefc197b9c 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml @@ -16,5 +16,5 @@ spec: mutateDigest: false required: false verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml index 7109213e24..a704bde92c 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml @@ -36,7 +36,6 @@ kind: ClusterPolicy metadata: name: check-image-attestation spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 failurePolicy: Fail rules: @@ -52,7 +51,8 @@ spec: name: keys namespace: notary-verify-attestation verifyImages: - - type: Notary + - validationFailureAction: Enforce + type: Notary imageReferences: - "ghcr.io/kyverno/test-verify-image*" attestations: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml index 0ec78cbc37..0fd56037c6 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml @@ -28,5 +28,5 @@ spec: secrets: - regcred type: Notary - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml index 05d6d6311c..2bd389216e 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml @@ -36,7 +36,6 @@ kind: ClusterPolicy metadata: name: check-image-notary spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 failurePolicy: Fail rules: @@ -55,6 +54,7 @@ spec: - type: Notary imageReferences: - "ghcr.io/kyverno/test-verify-image*" + validationFailureAction: Enforce attestors: - count: 1 entries: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml index 297fdbfaae..9de539b70f 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml @@ -8,7 +8,6 @@ kind: ClusterPolicy metadata: name: check-image spec: - validationFailureAction: Enforce background: false webhookTimeoutSeconds: 30 failurePolicy: Fail @@ -22,6 +21,7 @@ spec: verifyImages: - imageReferences: - "ghcr.io/kyverno*" + validationFailureAction: Enforce attestors: - count: 1 entries: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml index 339878346c..cf20a2047d 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml @@ -36,7 +36,6 @@ kind: ClusterPolicy metadata: name: verify-exclude-refs spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 failurePolicy: Fail rules: @@ -57,6 +56,7 @@ spec: - "ghcr.io/*" skipImageReferences: - "ghcr.io/chipzoller*" + validationFailureAction: Enforce attestors: - count: 1 entries: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml index 5a23716568..e86b47e359 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml @@ -27,5 +27,5 @@ spec: mutateDigest: false required: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml index c74f309ac3..7bb7cd78d3 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml @@ -6,7 +6,6 @@ spec: background: true failurePolicy: Fail webhookTimeoutSeconds: 30 - validationFailureAction: Audit rules: - match: any: @@ -30,6 +29,7 @@ spec: - ghcr.io/kyverno/test-verify-image:* mutateDigest: false verifyDigest: false + validationFailureAction: Audit - name: require-ns-purpose-label match: any: @@ -37,6 +37,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml index ae90f26f5f..e4b58c1710 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml @@ -6,7 +6,6 @@ spec: background: true failurePolicy: Fail webhookTimeoutSeconds: 30 - validationFailureAction: Audit rules: - match: any: @@ -30,4 +29,5 @@ spec: - ghcr.io/kyverno/test-verify-image:* mutateDigest: false verifyDigest: false + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml index ae90f26f5f..e4b58c1710 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml @@ -6,7 +6,6 @@ spec: background: true failurePolicy: Fail webhookTimeoutSeconds: 30 - validationFailureAction: Audit rules: - match: any: @@ -30,4 +29,5 @@ spec: - ghcr.io/kyverno/test-verify-image:* mutateDigest: false verifyDigest: false + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml index 723b37a455..a839c04935 100644 --- a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml @@ -22,6 +22,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -34,10 +35,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml index 178f3d5935..77ae41595e 100644 --- a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml @@ -22,6 +22,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -34,10 +35,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml b/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml index 507f8e063a..ddf7ecebcd 100644 --- a/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml @@ -19,6 +19,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -31,10 +32,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml b/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml index d59f928dca..6fd58805c9 100644 --- a/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml @@ -21,6 +21,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -33,10 +34,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml b/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml index 8404cb2216..aa3fa09772 100644 --- a/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml @@ -20,6 +20,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -32,10 +33,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhooks/all-scale/policy.yaml b/test/conformance/chainsaw/webhooks/all-scale/policy.yaml index 292f5ba0b8..a749f0c98b 100644 --- a/test/conformance/chainsaw/webhooks/all-scale/policy.yaml +++ b/test/conformance/chainsaw/webhooks/all-scale/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*/scale' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml b/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml index ce9f80c1e3..7c61ceb47e 100644 --- a/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml +++ b/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml index 92d84826be..9519318229 100644 --- a/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml +++ b/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*/*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml index 8e4bb6e996..7f5f8b8fc8 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -17,6 +16,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml index 8e4bb6e996..7f5f8b8fc8 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -17,6 +16,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml index 71dc17c05b..c442cf70c3 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -20,6 +19,7 @@ spec: operations: - DELETE validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: @@ -33,7 +33,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-match @@ -45,6 +44,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit message: 'The label `match` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml index 8e4bb6e996..7f5f8b8fc8 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -17,6 +16,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/only-pod/policy.yaml b/test/conformance/chainsaw/webhooks/only-pod/policy.yaml index 8349e314ec..6ff29ed068 100644 --- a/test/conformance/chainsaw/webhooks/only-pod/policy.yaml +++ b/test/conformance/chainsaw/webhooks/only-pod/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml index 2faf585890..5fc38af611 100644 --- a/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - Pod/* validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml b/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml index 80b7e1bfce..8e86a3f95f 100644 --- a/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml @@ -18,4 +18,3 @@ spec: path: "/command/0" value: "bash" name: std-shell-replace - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml index 9028c9511c..635d737a10 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'CustomResourceDefinition' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml index bec3ea8a72..1100d8fc21 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml index 1ec38d8f18..42efff1770 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -16,6 +15,7 @@ spec: - 'ConfigMap' - 'CustomResourceDefinition' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml index c8ff72949e..6cb24c7968 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml index 78bebbcb69..9fcbad1a0d 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'Secret' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml index c8ff72949e..6cb24c7968 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml index 7f8e054959..3a8073437f 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml index ce9f80c1e3..7c61ceb47e 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml index d0975a89f4..2d58a03902 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml index f7711bd6fe..150b643e56 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'CustomResourceDefinition' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml index ca237157c6..d4cd9e81b1 100644 --- a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'Deployment' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml index bec3ea8a72..1100d8fc21 100644 --- a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml index ce9f80c1e3..7c61ceb47e 100644 --- a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy/policy.yaml b/test/conformance/chainsaw/webhooks/policy/policy.yaml index d0975a89f4..2d58a03902 100644 --- a/test/conformance/chainsaw/webhooks/policy/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/scale/policy.yaml b/test/conformance/chainsaw/webhooks/scale/policy.yaml index bd4a502ad9..8ea3b6dd9a 100644 --- a/test/conformance/chainsaw/webhooks/scale/policy.yaml +++ b/test/conformance/chainsaw/webhooks/scale/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - Scale validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml index 5a6be03550..05f5aecfa4 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: unknown spec: - validationFailureAction: Audit background: false rules: - name: unknown @@ -13,6 +12,7 @@ spec: kinds: - Foo validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml index 7d0cf31fc5..e658e6658a 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: unknown spec: - validationFailureAction: Audit background: false rules: - name: unknown @@ -13,6 +12,7 @@ spec: kinds: - Foo/* validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml index 57d255ae5b..f3fa8dde6e 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: unknown spec: - validationFailureAction: Audit background: false rules: - name: unknown @@ -13,6 +12,7 @@ spec: kinds: - v2/Pod validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml index f77bc622c6..28d8aa6dc2 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: unknown spec: - validationFailureAction: Audit background: false rules: - name: unknown @@ -13,6 +12,7 @@ spec: kinds: - Pod/foo validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: