From cf2502e1ea6e4e5ce1958c6e1db6444c6bdeb46c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Thu, 13 Apr 2023 17:39:55 +0200
Subject: [PATCH] chore: add kuttl test for namespace exclusion (#6914)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* chore: add kuttl test for namespace exclusion

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix readme

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* Update test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/README.md

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 .../exclude-namespace/01-policies.yaml        |  6 ++++
 .../exclude-namespace/02-resources.yaml       |  4 +++
 .../exclude/exclude-namespace/README.md       | 11 +++++++
 .../exclude-namespace/policies-assert.yaml    |  9 ++++++
 .../exclude/exclude-namespace/policies.yaml   | 30 +++++++++++++++++++
 .../exclude/exclude-namespace/resources.yaml  |  5 ++++
 .../wildcard/block-verifyimage/README.md      |  1 +
 7 files changed, 66 insertions(+)
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/01-policies.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/02-resources.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/README.md
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/policies-assert.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/resources.yaml

diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/01-policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/01-policies.yaml
new file mode 100644
index 0000000000..c52519accc
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/01-policies.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policies.yaml
+assert:
+- policies-assert.yaml
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/02-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/02-resources.yaml
new file mode 100644
index 0000000000..d6bc70b81d
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/02-resources.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- resources.yaml
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/README.md
new file mode 100644
index 0000000000..60c371ca2f
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/README.md
@@ -0,0 +1,11 @@
+## Description
+
+This test creates a policy to validate all resources have a `foo: bar` label.
+The policy matches on a wildcard but excludes a whole Namespace.
+The net result should be any Namespaced resource in the excluded Namespace should not be processed.
+It then creates a configmap in the default namespace that doesn't have the expected label.
+
+
+## Expected Behavior
+
+The configmap should be created successfully as it is excluded by the policy.
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/policies-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/policies-assert.yaml
new file mode 100644
index 0000000000..7149accf8d
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/policies-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-label
+status:
+  conditions:
+    - reason: Succeeded
+      status: "True"
+      type: Ready
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml
new file mode 100644
index 0000000000..b339516f26
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml
@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-label
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: require-label
+      match:
+        any:
+        - resources:
+            kinds:
+              - "*"
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - default
+      preconditions:
+        all:
+          - key: "{{ request.operation }}"
+            operator: NotEquals
+            value: DELETE
+      validate:
+        message: 'Test'
+        pattern:
+          metadata:
+            labels:
+              foo: bar
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/resources.yaml
new file mode 100644
index 0000000000..1746b5de27
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/exclude/exclude-namespace/resources.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-name
+  namespace: default
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/wildcard/block-verifyimage/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/wildcard/block-verifyimage/README.md
index 470b8c7f4d..5a825e7038 100644
--- a/test/conformance/kuttl/validate/clusterpolicy/standard/wildcard/block-verifyimage/README.md
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/wildcard/block-verifyimage/README.md
@@ -1,2 +1,3 @@
 ## Description 
+
 Basic validate test to check that a verify-image policy cannot be created when the policy has wildcard(*)  included in match any/all resource block.
\ No newline at end of file