1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

chore: all chainsaw tests (#9011)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-11-24 11:17:58 +01:00 committed by GitHub
parent ccf020abab
commit d6933fff4f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2401 changed files with 40111 additions and 58 deletions

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,10 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
file: policy-assert.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -1,12 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: event
spec:
timeouts: {}
try:
- assert:
file: background-event.yaml
- error:
file: admission-event.yaml
catch:
- events: {}

View file

@ -6,5 +6,5 @@ Then it creates a resource that violates the policy.
## Expected Behavior
The resource creates fine as the policy doesn't apply at admission time.
No admission ezvent is created.
No admission event is created.
One background event is created.

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: report
spec:
timeouts: {}
try:
- error:
file: admission-report.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: event
spec:
timeouts: {}
try:
- assert:
file: background-event.yaml

View file

@ -6,5 +6,5 @@ Then it creates a resource that violates the policy.
## Expected Behavior
The resource creates fine as the policy doesn't apply at admission time.
No admission ezvent is created.
No admission event is created.
One background event is created.

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: report
spec:
timeouts: {}
try:
- error:
file: admission-report.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,9 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -8,5 +8,4 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: rbac.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: pod.yaml
- assert:
file: pod-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: policy.yaml
- assert:
file: policy.yaml

View file

@ -10,5 +10,4 @@ spec:
- command:
args:
- "65"
check: null
entrypoint: sleep

View file

@ -8,5 +8,4 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: rbac.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: pod.yaml
- assert:
file: pod-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: policy.yaml
- assert:
file: policy.yaml

View file

@ -10,5 +10,4 @@ spec:
- command:
args:
- "5"
check: null
entrypoint: sleep

View file

@ -8,5 +8,4 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: rbac.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: pod.yaml
- assert:
file: pod-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: policy.yaml
- assert:
file: policy.yaml

View file

@ -10,5 +10,4 @@ spec:
- command:
args:
- "65"
check: null
entrypoint: sleep

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: policy.yaml
- assert:
file: policy.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: clusterpolicy.yaml
- assert:
file: clusterpolicy.yaml

View file

@ -1,10 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: invalidpolicy
spec:
timeouts: {}
try:
- apply:
file: invalidpolicy.yaml
check:
(error == null): false
(error != null): true
file: invalidpolicy.yaml

View file

@ -1,18 +1,21 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: cleanuppolicy
spec:
timeouts: {}
try:
- apply:
check:
(error != null): true
file: cleanuppolicy-with-subjects.yaml
check:
(error == null): false
- apply:
check:
(error != null): true
file: cleanuppolicy-with-roles.yaml
check:
(error == null): false
- apply:
file: cleanuppolicy-with-clusterroles.yaml
check:
(error == null): false
(error != null): true
file: cleanuppolicy-with-clusterroles.yaml

View file

@ -1,14 +1,17 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: cleanup-policy
spec:
timeouts: {}
try:
- apply:
check:
(error != null): true
file: cleanuppolicy-with-image-registry.yaml
check:
(error == null): false
- apply:
file: cleanuppolicy-with-configmap.yaml
check:
(error == null): false
(error != null): true
file: cleanuppolicy-with-configmap.yaml

View file

@ -0,0 +1,38 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-custom-sigstore
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: basic-sigstore-test-policy
spec:
validationFailureAction: Enforce
background: false
webhookTimeoutSeconds: 30
failurePolicy: Fail
rules:
- name: keyed-basic-rule
match:
any:
- resources:
kinds:
- Pod
context:
- name: tufvalues
configMap:
name: tufvalues
namespace: kyverno
verifyImages:
- imageReferences:
- "ttl.sh/*"
attestors:
- count: 1
entries:
- keyless:
issuer: "https://kubernetes.default.svc.cluster.local"
subject: "*"
rekor:
url: "{{ tufvalues.data.REKOR_URL }}"
required: true

View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: basic-sigstore-test-policy
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

View file

@ -0,0 +1,17 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: goodpod
spec:
timeouts: {}
try:
- command:
args:
- -n
- test-custom-sigstore
- run
- test-sigstore
- --image=$TEST_IMAGE_URL
entrypoint: kubectl

View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: test-sigstore
namespace: test-custom-sigstore

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: manifests.yaml
- assert:
file: policy-assert.yaml

View file

@ -1,10 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: testcase
spec:
timeouts: {}
try:
- apply:
file: deploy.yaml
check:
(error == null): false
(error != null): true
file: deploy.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: manifests.yaml
- assert:
file: policy-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: cm.yaml
- assert:
file: cm-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: policy.yaml
- assert:
file: policy-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: resource.yaml
- assert:
file: resource-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: policy.yaml
- assert:
file: policy-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: resource.yaml
- assert:
file: resource-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: policy.yaml
- assert:
file: policy-assert.yaml

View file

@ -8,7 +8,6 @@ spec:
timeouts: {}
try:
- apply:
check: null
file: resource.yaml
- assert:
file: resource-assert.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: crd
spec:
timeouts: {}
try:
- apply:
file: crd.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -0,0 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: sleep
spec:
timeouts: {}
try:
- command:
args:
- "3"
entrypoint: sleep

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: event
spec:
timeouts: {}
try:
- assert:
file: event.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -0,0 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: sleep
spec:
timeouts: {}
try:
- command:
args:
- "3"
entrypoint: sleep

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: event
spec:
timeouts: {}
try:
- assert:
file: policy-event.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: event
spec:
timeouts: {}
try:
- assert:
file: event-assert.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: event
spec:
timeouts: {}
try:
- error:
file: event.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: event
spec:
timeouts: {}
try:
- assert:
file: event-assert.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,10 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml
check:
(error == null): false
(error != null): true
file: resource.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: event
spec:
timeouts: {}
try:
- assert:
file: event-assert.yaml

View file

@ -0,0 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: admission-controller-apply
spec:
timeouts: {}
try:
- apply:
file: admission-controller.yaml
- assert:
file: admission-controller-assert.yaml

View file

@ -0,0 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml

View file

@ -0,0 +1,15 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: resource
spec:
timeouts: {}
try:
- apply:
file: resource.yaml
- apply:
check:
(error != null): true
file: resource-fail.yaml

View file

@ -0,0 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: event
spec:
timeouts: {}
try:
- apply:
file: event-assert.yaml

View file

@ -0,0 +1,14 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: script
spec:
timeouts: {}
try:
- script:
content: "if kubectl logs deployment/kyverno-admission-controller -n kyverno
| grep \"reason=\\\"PolicyViolation\\\"\" \nthen \n echo \"Test succeeded.
PolicyViolation event was not created.\"\n exit 0\nelse \n echo \"Tested
failed. PolicyViolation event should have been created.\"\n exit 1\nfi\n"

View file

@ -0,0 +1,18 @@
## Description
This test updates the deployment with flag `--omit-events=PolicyApplied` set
Then it creates a policy, and a resource.
The resource is expected to be accepted.
A `PolicyApplied` event should be created.
Then it creates a respource that is expected to be rejected
A `PolicyViolation` event should not be emitted as the flag does not include that.
## Steps
1. Update the deployment of admission controller to add this ar`--omit-events=PolicyApplied`.
2. - Create a policy
- Assert the policy becomes ready
3. - Create a resource,
4. - Asset a `PolicyApplied` event is created
5. Try creating a resource with a script that is expected to fail.
6. Exit the script with `0` if it returns an error

View file

@ -0,0 +1,8 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kyverno-admission-controller
namespace: kyverno
status:
readyReplicas: 1
updatedReplicas: 1

View file

@ -0,0 +1,170 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kyverno-admission-controller
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
replicas:
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
template:
metadata:
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
dnsPolicy: ClusterFirst
serviceAccountName: kyverno-admission-controller
initContainers:
- name: kyverno-pre
image: "ghcr.io/kyverno/kyvernopre:latest"
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
- --v=2
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
env:
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_DEPLOYMENT
value: kyverno
containers:
- name: kyverno
image: "ghcr.io/kyverno/kyverno:latest"
imagePullPolicy: IfNotPresent
args:
- --omit-events=PolicyViolation
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
- --servicePort=443
- --loggingFormat=text
- --v=2
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --admissionReports=true
- --autoUpdateWebhooks=true
- --enableConfigMapCaching=true
- --dumpPayload=false
- --forceFailurePolicyIgnore=false
- --enablePolicyException=false
- --exceptionNamespace=
- --protectManagedResources=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
resources:
limits:
memory: 384Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics-port
protocol: TCP
env:
- name: INIT_CONFIG
value: kyverno
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
- name: KYVERNO_SVC
value: kyverno-svc
- name: TUF_ROOT
value: /.sigstore
- name: KYVERNO_DEPLOYMENT
value: kyverno-admission-controller
startupProbe:
failureThreshold: 20
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 2
periodSeconds: 6
livenessProbe:
failureThreshold: 2
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
failureThreshold: 6
httpGet:
path: /health/readiness
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: /.sigstore
name: sigstore
volumes:
- name: sigstore
emptyDir: {}

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Event
metadata: {}
involvedObject:
apiVersion: kyverno.io/v1
kind: Policy
name: require-labels
type: Normal
reason: PolicyApplied
source:
component: kyverno-admission

View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: require-labels
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
background: false
rules:
- name: require-team
match:
any:
- resources:
kinds:
- ConfigMap
validate:
message: 'The label `team` is required.'
pattern:
metadata:
labels:
team: '?*'

View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: bar
labels:
foo: bar

View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: foo
labels:
team: kyverno

View file

@ -1,10 +1,13 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml
- assert:
file: policy.yaml
file: policy-assert.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: webhooks
spec:
timeouts: {}
try:
- assert:
file: webhooks-assert.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: validatingadmissionpolicy
spec:
timeouts: {}
try:
- assert:
file: validatingadmissionpolicy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: validatingadmissionpolicy
spec:
timeouts: {}
try:
- assert:
file: validatingadmissionpolicy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: policy
spec:
timeouts: {}
try:
- apply:
file: policy.yaml

View file

@ -1,8 +1,11 @@
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: TestStep
metadata:
creationTimestamp: null
name: validatingadmissionpolicy
spec:
timeouts: {}
try:
- assert:
file: validatingadmissionpolicy.yaml

Some files were not shown because too many files have changed in this diff Show more