update testrunner, unit test for validate_host_network_port

examples/best_practices/policy_validate_host_network_port.yaml

@@ -3,7 +3,6 @@ kind: ClusterPolicy
 metadata:
   name: validate-host-network-port
 spec:
-  validationFailureAction: "audit"
   rules:
   - name: validate-host-network-port
     match:
@@ -15,8 +14,7 @@ spec:
       pattern:
         spec:
           hostNetwork: false
-          containers:          
-          - name: "*" # is name necessary??
+          containers:
+          - name: "*"
             ports:
-              hostPort: null
-
+            - hostPort: null

examples/best_practices/resources/resource_validate_host_netwok_port.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-network
+spec:
+  hostNetwork: false
+  containers:
+  - name: nginx-host-network
+    image: nginx
+    ports:
+    - containerPort: 80
+      hostPort: 80

pkg/engine/validation_test.go

@@ -1860,3 +1860,85 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 	}
 	assert.Assert(t, !er.IsSuccesful())
 }
+
+func TestValidate_host_network_port(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+		"apiVersion": "kyverno.io/v1alpha1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		   "name": "validate-host-network-port"
+		},
+		"spec": {
+		   "rules": [
+			  {
+				 "name": "validate-host-network-port",
+				 "match": {
+					"resources": {
+					   "kinds": [
+						  "Pod"
+					   ]
+					}
+				 },
+				 "validate": {
+					"message": "Host network and port are not allowed",
+					"pattern": {
+					   "spec": {
+						  "hostNetwork": false,
+						  "containers": [
+							 {
+								"name": "*",
+								"ports": [
+								   {
+									  "hostPort": null
+								   }
+								]
+							 }
+						  ]
+					   }
+					}
+				 }
+			  }
+		   ]
+		}
+	 }
+	 `)
+
+	rawResource := []byte(`
+	 {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+		   "name": "nginx-host-network"
+		},
+		"spec": {
+		   "hostNetwork": false,
+		   "containers": [
+			  {
+				 "name": "nginx-host-network",
+				 "image": "nginx",
+				 "ports": [
+					{
+					   "containerPort": 80,
+					   "hostPort": 80
+					}
+				 ]
+			  }
+		   ]
+		}
+	 }
+	 `)
+
+	var policy kyverno.ClusterPolicy
+	json.Unmarshal(rawPolicy, &policy)
+
+	resourceUnstructured, err := ConvertToUnstructured(rawResource)
+	assert.NilError(t, err)
+	er := Validate(policy, *resourceUnstructured)
+	msgs := []string{"Validation rule 'validate-host-network-port' failed at '/spec/containers/0/ports/0/hostPort/' for resource Pod//nginx-host-network. Host network and port are not allowed"}
+
+	for index, r := range er.PolicyResponse.Rules {
+		assert.Equal(t, r.Message, msgs[index])
+	}
+	assert.Assert(t, !er.IsSuccesful())
+}

pkg/testrunner/testrunner_test.go

@@ -87,3 +87,7 @@ func Test_validate_default_namespace(t *testing.T) {
 func Test_validate_host_path(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_host_path.yaml")
 }
+
+func Test_validate_host_network_port(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_host_network_port.yaml")
+}

test/scenarios/test/scenario_validate_host_network_port.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_host_network_port.yaml
+  resource: examples/best_practices/resources/resource_validate_host_netwok_port.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-host-network-port
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: "nginx-host-network"
+      rules:
+        - name: validate-host-network-port
+          type: Validation
+          message: Validation rule 'validate-host-network-port' failed at '/spec/containers/0/ports/0/hostPort/' for resource Pod//nginx-host-network. Host network and port are not allowed
+          success: false