diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/README.md b/test/conformance/chainsaw/reports/background/exception-with-conditions/README.md new file mode 100644 index 0000000000..da2b0334d7 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, a policy exception and a pod. +It makes sure the generated background scan report contains a skipped result instead of a failed one. + +## Steps + +1. - Create a pod named `apps` +2. - Create a cluster policy + - Assert the policy becomes ready +3. - Create a policy exception for the cluster policy created above, configured to apply to pod named `apps` +4. - Assert that a policy report exists with a skipped result diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/chainsaw-test.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/chainsaw-test.yaml new file mode 100755 index 0000000000..ecfd0d3fdb --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/chainsaw-test.yaml @@ -0,0 +1,31 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exception-with-conditions +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-02 + try: + - apply: + file: deployment.yaml + - name: step-03 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-04 + try: + - apply: + file: exception.yaml + - name: step-05 + try: + - assert: + file: report-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/deployment.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/deployment.yaml new file mode 100644 index 0000000000..8387bbddd0 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/deployment.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: new-deployment + namespace: dev-ns + labels: + env: dev +spec: + replicas: 3 + selector: + matchLabels: + app: new-deployment + template: + metadata: + labels: + app: new-deployment + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/exception.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/exception.yaml new file mode 100644 index 0000000000..87cba12d24 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: container-exception +spec: + exceptions: + - policyName: check-deployment-replicas + ruleNames: + - check-deployment-replicas + match: + any: + - resources: + kinds: + - Deployment + namespaces: + - dev-ns + conditions: + any: + - key: "{{ request.object.metadata.labels.env || '' }}" + operator: Equals + value: dev diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/ns.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/ns.yaml new file mode 100644 index 0000000000..0acae1acdc --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: dev-ns diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/policy-assert.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy-assert.yaml new file mode 100644 index 0000000000..792d2a7e1f --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml new file mode 100644 index 0000000000..04610644da --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas +spec: + validationFailureAction: Enforce + background: true + rules: + - name: check-deployment-replicas + match: + any: + - resources: + kinds: + - Deployment + validate: + message: "Deployment should have at most 1 replica" + deny: + conditions: + any: + - key: "{{request.object.spec.replicas}}" + operator: GreaterThan + value: "2" diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/report-assert.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/report-assert.yaml new file mode 100644 index 0000000000..3a3597813b --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/report-assert.yaml @@ -0,0 +1,27 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + namespace: dev-ns + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: new-deployment +results: +- policy: check-deployment-replicas + result: skip + rule: check-deployment-replicas + scored: true + source: kyverno +scope: + apiVersion: apps/v1 + kind: Deployment + name: new-deployment + namespace: dev-ns +summary: + error: 0 + fail: 0 + pass: 0 + skip: 1 + warn: 0 diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/README.md b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/README.md new file mode 100644 index 0000000000..ee8ada605d --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, a policy exception and a pod. +It makes sure the generated background scan report contains a skipped result instead of a failed one. + +## Steps + +1. - Create a pod named `nginx` +2. - Create a cluster policy + - Assert the policy becomes ready +3. - Create a policy exception for the cluster policy created above, configured to apply to pod named `nginx` +4. - Assert that a policy report exists with a skipped result diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/chainsaw-test.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/chainsaw-test.yaml new file mode 100755 index 0000000000..f2843f833d --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exception-with-podsecurity +spec: + steps: + - name: step-01 + try: + - apply: + file: pod.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - assert: + file: report-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/exception.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/exception.yaml new file mode 100644 index 0000000000..74a017020b --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/exception.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception +spec: + exceptions: + - policyName: psa-1 + ruleNames: + - restricted + match: + any: + - resources: + kinds: + - Pod + podSecurity: + - controlName: Capabilities + images: + - nginx* + - redis* diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/pod.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/pod.yaml new file mode 100644 index 0000000000..250a5da4d3 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/pod.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + namespace: default +spec: + containers: + - name: container01 + image: nginx:1.1.9 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + add: + - SYS_ADMIN + drop: + - ALL diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy-assert.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy-assert.yaml new file mode 100644 index 0000000000..d52b6efde4 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa-1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml new file mode 100644 index 0000000000..e2db6ec9b0 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa-1 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + background: true + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/report-assert.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/report-assert.yaml new file mode 100644 index 0000000000..5090a26d19 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/report-assert.yaml @@ -0,0 +1,26 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + namespace: default + ownerReferences: + - apiVersion: v1 + kind: Pod + name: nginx +results: +- policy: psa-1 + properties: + exception: pod-security-exception + result: skip + rule: restricted + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Pod + name: nginx +summary: + error: 0 + fail: 0 + pass: 0 + skip: 1 + warn: 0 \ No newline at end of file