mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 02:45:06 +00:00
Code Activity

feat: support wildcard in subjects statements (#8068)

Browse source 
* feat: support wildcard in subjects statements

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* sa tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-08-21 02:46:42 +02:00 committed by GitHub
parent d7771cb835
commit ce4beb0e92
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
74 changed files with 765 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.github/workflows/conformance.yaml vendored
View file

@ -60,6 +60,7 @@ jobs:
- deferred
- events
- exceptions
- filter
- generate/clusterpolicy
- generate/policy
- generate/validation

7
pkg/utils/match/subjects.go
View file

@ -1,6 +1,7 @@
package match
import (
"github.com/kyverno/kyverno/pkg/utils/wildcard"
authenticationv1 "k8s.io/api/authentication/v1"
rbacv1 "k8s.io/api/rbac/v1"
)
@ -14,17 +15,17 @@ func CheckSubjects(
switch subject.Kind {
case rbacv1.ServiceAccountKind:
username := "system:serviceaccount:" + subject.Namespace + ":" + subject.Name
if userInfo.Username == username {
if wildcard.Match(username, userInfo.Username) {
return true
}
case rbacv1.GroupKind:
for _, group := range userInfo.Groups {
if group == subject.Name {
if wildcard.Match(subject.Name, group) {
return true
}
}
case rbacv1.UserKind:
if userInfo.Username == subject.Name {
if wildcard.Match(subject.Name, userInfo.Username) {
return true
}
}

6
test/conformance/kuttl/filter/exclude/sa/no-wildcard/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/exclude/sa/no-wildcard/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: true

12
test/conformance/kuttl/filter/exclude/sa/no-wildcard/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, excluding service account `system:serviceaccount:kyverno:kyverno`.
This policy denies pod creation.
## Expected Behavior
The pod should be denied (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

22
test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- subjects:
- kind: ServiceAccount
name: kyverno
namespace: kyverno
validate:
deny: {}

10
test/conformance/kuttl/filter/exclude/sa/no-wildcard/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/exclude/sa/wildcard/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/exclude/sa/wildcard/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: true

12
test/conformance/kuttl/filter/exclude/sa/wildcard/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, excluding service account `system:serviceaccount:?*:?*`.
This policy denies pod creation.
## Expected Behavior
The pod should be denied (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/exclude/sa/wildcard/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

22
test/conformance/kuttl/filter/exclude/sa/wildcard/policy.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- subjects:
- kind: ServiceAccount
name: '?*'
namespace: '?*'
validate:
deny: {}

10
test/conformance/kuttl/filter/exclude/sa/wildcard/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/exclude/user/no-wildcard/block/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/exclude/user/no-wildcard/block/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: true

12
test/conformance/kuttl/filter/exclude/user/no-wildcard/block/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, excluding users `not-kubernetes-admin`.
This policy denies pod creation.
## Expected Behavior
The pod should be denied (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

21
test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- subjects:
- kind: User
name: not-kubernetes-admin
validate:
deny: {}

10
test/conformance/kuttl/filter/exclude/user/no-wildcard/block/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: false

12
test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, excluding users `kubernetes-admin`.
This policy denies pod creation.
## Expected Behavior
The pod should be accepted (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

21
test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- subjects:
- kind: User
name: kubernetes-admin
validate:
deny: {}

10
test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/exclude/user/wildcard/block/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/exclude/user/wildcard/block/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: true

12
test/conformance/kuttl/filter/exclude/user/wildcard/block/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, excluding users with wildcard `not-?*`.
This policy denies pod creation.
## Expected Behavior
The pod should be denied (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/exclude/user/wildcard/block/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

21
test/conformance/kuttl/filter/exclude/user/wildcard/block/policy.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- subjects:
- kind: User
name: not-?*
validate:
deny: {}

10
test/conformance/kuttl/filter/exclude/user/wildcard/block/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/exclude/user/wildcard/pass/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/exclude/user/wildcard/pass/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: false

12
test/conformance/kuttl/filter/exclude/user/wildcard/pass/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, excluding users with wildcard `?*`.
This policy denies pod creation.
## Expected Behavior
The pod should be accepted (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

21
test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- subjects:
- kind: User
name: '?*'
validate:
deny: {}

10
test/conformance/kuttl/filter/exclude/user/wildcard/pass/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/match/sa/no-wildcard/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/match/sa/no-wildcard/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: false

12
test/conformance/kuttl/filter/match/sa/no-wildcard/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, matching service account `system:serviceaccount:kyverno:kyverno`.
This policy denies pod creation.
## Expected Behavior
The pod should be accepted (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/match/sa/no-wildcard/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

20
test/conformance/kuttl/filter/match/sa/no-wildcard/policy.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
subjects:
- kind: ServiceAccount
name: kyverno
namespace: kyverno
validate:
deny: {}

10
test/conformance/kuttl/filter/match/sa/no-wildcard/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/match/sa/wildcard/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/match/sa/wildcard/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: false

12
test/conformance/kuttl/filter/match/sa/wildcard/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, matching service account `system:serviceaccount:?*:?*`.
This policy denies pod creation.
## Expected Behavior
The pod should be accepted (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/match/sa/wildcard/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

20
test/conformance/kuttl/filter/match/sa/wildcard/policy.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
subjects:
- kind: ServiceAccount
name: '?*'
namespace: '?*'
validate:
deny: {}

10
test/conformance/kuttl/filter/match/sa/wildcard/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/match/user/no-wildcard/block/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/match/user/no-wildcard/block/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: true

12
test/conformance/kuttl/filter/match/user/no-wildcard/block/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, matching users `kubernetes-admin`.
This policy denies pod creation.
## Expected Behavior
The pod should be denied (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/match/user/no-wildcard/block/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

19
test/conformance/kuttl/filter/match/user/no-wildcard/block/policy.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
subjects:
- kind: User
name: kubernetes-admin
validate:
deny: {}

10
test/conformance/kuttl/filter/match/user/no-wildcard/block/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/match/user/no-wildcard/pass/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/match/user/no-wildcard/pass/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: false

12
test/conformance/kuttl/filter/match/user/no-wildcard/pass/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, matching users `not-kubernetes-admin`.
This policy denies pod creation.
## Expected Behavior
The pod should be accepted (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

19
test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
subjects:
- kind: User
name: not-kubernetes-admin
validate:
deny: {}

10
test/conformance/kuttl/filter/match/user/no-wildcard/pass/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/match/user/wildcard/block/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/match/user/wildcard/block/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: true

12
test/conformance/kuttl/filter/match/user/wildcard/block/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, matching users with wildcard `?*`.
This policy denies pod creation.
## Expected Behavior
The pod should be denied (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/match/user/wildcard/block/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

19
test/conformance/kuttl/filter/match/user/wildcard/block/policy.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
subjects:
- kind: User
name: '?*'
validate:
deny: {}

10
test/conformance/kuttl/filter/match/user/wildcard/block/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80

6
test/conformance/kuttl/filter/match/user/wildcard/pass/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/filter/match/user/wildcard/pass/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: resource.yaml
shouldFail: false

12
test/conformance/kuttl/filter/match/user/wildcard/pass/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test creates a policy, matching users with wildcard `not-?*`.
This policy denies pod creation.
## Expected Behavior
The pod should be accepted (user is `kubernetes-admin`).
## Related issue(s)
- https://github.com/kyverno/kyverno/issues/7938

10
test/conformance/kuttl/filter/match/user/wildcard/pass/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

19
test/conformance/kuttl/filter/match/user/wildcard/pass/policy.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-pod
spec:
validationFailureAction: Enforce
background: false
rules:
- name: block-pod
match:
any:
- resources:
kinds:
- Pod
subjects:
- kind: User
name: not-?*
validate:
deny: {}

10
test/conformance/kuttl/filter/match/user/wildcard/pass/resource.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: container
image: nginx:latest
ports:
- containerPort: 80