From d0fd3e69ef3da8d584f16119c482376f8c20c1df Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 9 Sep 2019 16:08:15 -0700
Subject: [PATCH] update testrunner, unit test for validate_host_network_port

---
 .../policy_validate_host_network_port.yaml    |  8 +-
 .../resource_validate_host_netwok_port.yaml   | 12 +++
 pkg/engine/validation_test.go                 | 82 +++++++++++++++++++
 pkg/testrunner/testrunner_test.go             |  4 +
 .../scenario_validate_host_network_port.yaml  | 18 ++++
 5 files changed, 119 insertions(+), 5 deletions(-)
 create mode 100644 examples/best_practices/resources/resource_validate_host_netwok_port.yaml
 create mode 100644 test/scenarios/test/scenario_validate_host_network_port.yaml

diff --git a/examples/best_practices/policy_validate_host_network_port.yaml b/examples/best_practices/policy_validate_host_network_port.yaml
index 1dceac33dc..ae71bc56a5 100644
--- a/examples/best_practices/policy_validate_host_network_port.yaml
+++ b/examples/best_practices/policy_validate_host_network_port.yaml
@@ -3,7 +3,6 @@ kind: ClusterPolicy
 metadata:
   name: validate-host-network-port
 spec:
-  validationFailureAction: "audit"
   rules:
   - name: validate-host-network-port
     match:
@@ -15,8 +14,7 @@ spec:
       pattern:
         spec:
           hostNetwork: false
-          containers:          
-          - name: "*" # is name necessary??
+          containers:
+          - name: "*"
             ports:
-              hostPort: null
-
+            - hostPort: null
diff --git a/examples/best_practices/resources/resource_validate_host_netwok_port.yaml b/examples/best_practices/resources/resource_validate_host_netwok_port.yaml
new file mode 100644
index 0000000000..c1a4ef412a
--- /dev/null
+++ b/examples/best_practices/resources/resource_validate_host_netwok_port.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-network
+spec:
+  hostNetwork: false
+  containers:
+  - name: nginx-host-network
+    image: nginx
+    ports:
+    - containerPort: 80
+      hostPort: 80
\ No newline at end of file
diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index b86dc81e6b..79a3637ea5 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -1860,3 +1860,85 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 	}
 	assert.Assert(t, !er.IsSuccesful())
 }
+
+func TestValidate_host_network_port(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+		"apiVersion": "kyverno.io/v1alpha1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		   "name": "validate-host-network-port"
+		},
+		"spec": {
+		   "rules": [
+			  {
+				 "name": "validate-host-network-port",
+				 "match": {
+					"resources": {
+					   "kinds": [
+						  "Pod"
+					   ]
+					}
+				 },
+				 "validate": {
+					"message": "Host network and port are not allowed",
+					"pattern": {
+					   "spec": {
+						  "hostNetwork": false,
+						  "containers": [
+							 {
+								"name": "*",
+								"ports": [
+								   {
+									  "hostPort": null
+								   }
+								]
+							 }
+						  ]
+					   }
+					}
+				 }
+			  }
+		   ]
+		}
+	 }
+	 `)
+
+	rawResource := []byte(`
+	 {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+		   "name": "nginx-host-network"
+		},
+		"spec": {
+		   "hostNetwork": false,
+		   "containers": [
+			  {
+				 "name": "nginx-host-network",
+				 "image": "nginx",
+				 "ports": [
+					{
+					   "containerPort": 80,
+					   "hostPort": 80
+					}
+				 ]
+			  }
+		   ]
+		}
+	 }
+	 `)
+
+	var policy kyverno.ClusterPolicy
+	json.Unmarshal(rawPolicy, &policy)
+
+	resourceUnstructured, err := ConvertToUnstructured(rawResource)
+	assert.NilError(t, err)
+	er := Validate(policy, *resourceUnstructured)
+	msgs := []string{"Validation rule 'validate-host-network-port' failed at '/spec/containers/0/ports/0/hostPort/' for resource Pod//nginx-host-network. Host network and port are not allowed"}
+
+	for index, r := range er.PolicyResponse.Rules {
+		assert.Equal(t, r.Message, msgs[index])
+	}
+	assert.Assert(t, !er.IsSuccesful())
+}
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index c0f75a170b..17a42f94b3 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -87,3 +87,7 @@ func Test_validate_default_namespace(t *testing.T) {
 func Test_validate_host_path(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_host_path.yaml")
 }
+
+func Test_validate_host_network_port(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_host_network_port.yaml")
+}
diff --git a/test/scenarios/test/scenario_validate_host_network_port.yaml b/test/scenarios/test/scenario_validate_host_network_port.yaml
new file mode 100644
index 0000000000..da6ec8c9be
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_host_network_port.yaml
@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_host_network_port.yaml
+  resource: examples/best_practices/resources/resource_validate_host_netwok_port.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-host-network-port
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: "nginx-host-network"
+      rules:
+        - name: validate-host-network-port
+          type: Validation
+          message: Validation rule 'validate-host-network-port' failed at '/spec/containers/0/ports/0/hostPort/' for resource Pod//nginx-host-network. Host network and port are not allowed
+          success: false   
\ No newline at end of file